Closed Bug 1431336 (CVE-2018-5128) Opened 6 years ago Closed 6 years ago

heap-use-after-free in nsTextEditorState::SetSelectionRange

Categories

(Core :: DOM: Editor, defect, P1)

59 Branch
defect

Tracking

()

VERIFIED FIXED
mozilla60
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- wontfix
firefox59 + fixed
firefox60 + verified

People

(Reporter: nils, Assigned: m_kato, NeedInfo)

References

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main59+])

Attachments

(5 files, 1 obsolete file)

The following testcase crashes the latest ASAN build of Firefox 59.0a1 (SourceStamp=b7a651281314d6369658eeb58e3bb181cf95016f). It requires the fuzzPriv extension.

<script>
function start() {
	o15=document.createElement('input');
	o15.setRangeText(undefined+"");
	document.documentElement.onselect=fun0;
	document.documentElement.onselectstart=fun1;
	document.documentElement.appendChild(o15);
	window.setTimeout("tmp()",100);
	window.setTimeout("location.reload()", 400);
}
function tmp() {
	o15.select();
}
function fun0() {
	o15.setSelectionRange(1,-13);
	fuzzPriv.trustedKeyEvent(document.documentElement,'press',false,false,true,false,37,0);
}
function fun1() {
	o212=o15.cloneNode(false);
	o212.type='number';
	o15.type='hidden';
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==31055==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0002788e8 at pc 0x7f83ddca5375 bp 0x7ffc74832330 sp 0x7ffc74832328
READ of size 8 at 0x60c0002788e8 thread T0 (file:// Content)
    #0 0x7f83ddca5374 in nsTextEditorState::SetSelectionRange(unsigned int, unsigned int, nsITextControlFrame::SelectionDirection, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:1799:10
    #1 0x7f83dd0f4e6f in mozilla::dom::HTMLInputElementBinding::setSelectionRange(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLInputElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLInputElementBinding.cpp:3511:9
    #2 0x7f83dd3aed87 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3036:13
    #3 0x7f83e3df6a34 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #4 0x7f83e3df6a34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #5 0x7f83e3de1a66 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #6 0x7f83e3de1a66 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
    #7 0x7f83e3dc8410 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #8 0x7f83e3df6f6c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #9 0x7f83e3df7a92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #10 0x7f83e48dda6c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3029:12
    #11 0x7f83dccfe65e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #12 0x7f83dd8a293a in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #13 0x7f83dd8a293a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #14 0x7f83dd869121 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:51
    #15 0x7f83dd86b032 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:20
    #16 0x7f83dd854a33 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:520:14
    #17 0x7f83dd8581b8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:865:9
    #18 0x7f83dfc8150f in mozilla::PresShell::DispatchEventToDOM(mozilla::WidgetEvent*, nsEventStatus*, nsPresShellEventCB*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7992:7
    #19 0x7f83dfc7dbe9 in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7786:11
    #20 0x7f83dfc7c6f0 in mozilla::PresShell::HandleEventWithTarget(mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, bool, nsIContent**) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7573:17
    #21 0x7f83ddc99276 in nsTextInputListener::NotifySelectionChanged(nsIDOMDocument*, nsISelection*, short) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:927:22
    #22 0x7f83db2626b5 in mozilla::dom::Selection::NotifySelectionListeners() /builds/worker/workspace/build/src/dom/base/Selection.cpp:3840:15
    #23 0x7f83dff9cc04 in nsFrameSelection::NotifySelectionListeners(mozilla::SelectionType) /builds/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp:2022:23
    #24 0x7f83db25aba2 in mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Selection.cpp:3206:25
    #25 0x7f83db259a62 in mozilla::dom::Selection::Extend(nsINode*, int) /builds/worker/workspace/build/src/dom/base/Selection.cpp:2921:3
    #26 0x7f83dff96021 in nsFrameSelection::TakeFocus(nsIContent*, unsigned int, unsigned int, mozilla::CaretAssociationHint, bool, bool) /builds/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp
    #27 0x7f83dff92982 in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) /builds/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp:910:14
    #28 0x7f83dff9dd49 in nsFrameSelection::PhysicalMove(short, short, bool) /builds/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp:1892:17
    #29 0x7f83ddc96675 in nsTextInputSelectionImpl::PhysicalMove(short, short, bool) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:565:28
    #30 0x7f83df5e6b3e in mozilla::SelectionMoveCommands::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/editor/libeditor/EditorCommands.cpp
    #31 0x7f83dd73ed60 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:26
    #32 0x7f83dd734a26 in nsBaseCommandController::DoCommand(char const*) /builds/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:25
    #33 0x7f83df00182c in nsXBLPrototypeHandler::DispatchXBLCommand(mozilla::dom::EventTarget*, nsIDOMEvent*) /builds/worker/workspace/build/src/dom/xbl/nsXBLPrototypeHandler.cpp:568:17
    #34 0x7f83defd42de in nsXBLPrototypeHandler::ExecuteHandler(mozilla::dom::EventTarget*, nsIDOMEvent*) /builds/worker/workspace/build/src/dom/xbl/nsXBLPrototypeHandler.cpp:285:12
    #35 0x7f83df01f1ed in nsXBLWindowKeyHandler::WalkHandlersAndExecute(nsIDOMKeyEvent*, nsAtom*, nsXBLPrototypeHandler*, unsigned int, mozilla::IgnoreModifierState const&, bool, bool*) /builds/worker/workspace/build/src/dom/xbl/nsXBLWindowKeyHandler.cpp:793:28
    #36 0x7f83df018d86 in nsXBLWindowKeyHandler::WalkHandlersInternal(nsIDOMKeyEvent*, nsAtom*, nsXBLPrototypeHandler*, bool, bool*) /builds/worker/workspace/build/src/dom/xbl/nsXBLWindowKeyHandler.cpp:647:12
    #37 0x7f83df01875e in nsXBLWindowKeyHandler::WalkHandlers(nsIDOMKeyEvent*, nsAtom*) /builds/worker/workspace/build/src/dom/xbl/nsXBLWindowKeyHandler.cpp:303:3
    #38 0x7f83df01e034 in nsXBLWindowKeyHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/xbl/nsXBLWindowKeyHandler.cpp:527:10
    #39 0x7f83dd869121 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:51
    #40 0x7f83dd86b032 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:20
    #41 0x7f83dd854a33 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:520:14
    #42 0x7f83dd854dc6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:549:5
    #43 0x7f83dd8581b8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:865:9
    #44 0x7f83dd85a0cc in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:932:12
    #45 0x7f83db49a3bf in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1359:5
    #46 0x7f83dd878571 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:102:9
    #47 0x7f83dcdf8043 in mozilla::dom::EventTargetBinding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:981:21
    #48 0x7f83dcdf54a6 in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:1157:13
    #49 0x7f83e3df6a34 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #50 0x7f83e3df6a34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #51 0x7f83e3de1a66 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #52 0x7f83e3de1a66 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
    #53 0x7f83e3dc8410 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #54 0x7f83e3df6f6c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #55 0x7f83e3df7a92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #56 0x7f83e48db5f1 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2970:12
    #57 0x7f83d9b49302 in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
    #58 0x7f83e3df6a34 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #59 0x7f83e3df6a34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #60 0x7f83e3de1a66 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #61 0x7f83e3de1a66 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
    #62 0x7f83e3dc8410 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #63 0x7f83e3df6f6c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #64 0x7f83e3df7a92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #65 0x7f83e48dda6c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3029:12
    #66 0x7f83dccfe65e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #67 0x7f83dd8a293a in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #68 0x7f83dd8a293a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #69 0x7f83dd869121 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:51
    #70 0x7f83dd86b032 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:20
    #71 0x7f83dd854a33 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:520:14
    #72 0x7f83dd8581b8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:865:9
    #73 0x7f83dd85a0cc in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:932:12
    #74 0x7f83db49a3bf in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1359:5
    #75 0x7f83dd7e1b33 in mozilla::AsyncEventDispatcher::Run() /builds/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:70:12
    #76 0x7f83d821ca70 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:395:25
    #77 0x7f83d8244c5d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #78 0x7f83d825fa30 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #79 0x7f83d90ea83a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #80 0x7f83d9042139 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #81 0x7f83d9042139 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #82 0x7f83d9042139 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #83 0x7f83df463dea in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #84 0x7f83e3b1fedb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:874:22
    #85 0x7f83d9042139 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #86 0x7f83d9042139 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #87 0x7f83d9042139 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #88 0x7f83e3b1f8c1 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:700:34
    #89 0x4ee915 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #90 0x4ee915 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #91 0x7f83f701382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #92 0x41dfe8 in _start (/fuzzer3/firefox/firefox+0x41dfe8)

0x60c0002788e8 is located 40 bytes inside of 128-byte region [0x60c0002788c0,0x60c000278940)
freed by thread T0 (file:// Content) here:
    #0 0x4be9f2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f83ddad7317 in operator delete /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:183:12
    #2 0x7f83ddad7317 in ReleaseTextEditorState /builds/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1106
    #3 0x7f83ddad7317 in mozilla::dom::HTMLInputElement::FreeData() /builds/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1195
    #4 0x7f83ddadef49 in mozilla::dom::HTMLInputElement::HandleTypeChange(unsigned char, bool) /builds/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:4951:3
    #5 0x7f83ddadc255 in mozilla::dom::HTMLInputElement::AfterSetAttr(int, nsAtom*, nsAttrValue const*, nsAttrValue const*, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1431:9
    #6 0x7f83db198193 in mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, nsIDocument*, mozAutoDocUpdate const&) /builds/worker/workspace/build/src/dom/base/Element.cpp:2773:10
    #7 0x7f83db18c42a in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2615:10
    #8 0x7f83dd10d58d in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:889:12
    #9 0x7f83dd10d58d in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:884
    #10 0x7f83dd10d58d in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1645
    #11 0x7f83dd10d58d in SetHTMLAttr /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.h:814
    #12 0x7f83dd10d58d in SetType /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/HTMLInputElement.h:738
    #13 0x7f83dd10d58d in mozilla::dom::HTMLInputElementBinding::set_type(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLInputElement*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLInputElementBinding.cpp:2470
    #14 0x7f83dd3ae439 in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2997:8
    #15 0x7f83e3df6a34 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #16 0x7f83e3df6a34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #17 0x7f83e3df9186 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #18 0x7f83e3df9186 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541
    #19 0x7f83e3df9186 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:670
    #20 0x7f83e4ea037c in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2736:10
    #21 0x7f83e4e9679c in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2764:20
    #22 0x7f83e3dda04a in SetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1637:12
    #23 0x7f83e3dda04a in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:270
    #24 0x7f83e3dda04a in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2893
    #25 0x7f83e3dc8410 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #26 0x7f83e3df6f6c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #27 0x7f83e3df7a92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #28 0x7f83e48dda6c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3029:12
    #29 0x7f83dccfe65e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #30 0x7f83dd8a293a in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #31 0x7f83dd8a293a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #32 0x7f83dd869121 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:51
    #33 0x7f83dd86b032 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:20
    #34 0x7f83dd854a33 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:520:14
    #35 0x7f83dd8581b8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:865:9
    #36 0x7f83dd85a0cc in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:932:12
    #37 0x7f83db49a3bf in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1359:5
    #38 0x7f83daf9850e in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4506:18
    #39 0x7f83daf982c4 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4474:10
    #40 0x7f83db23db58 in mozilla::dom::Selection::AddItem(nsRange*, int*, bool) /builds/worker/workspace/build/src/dom/base/Selection.cpp:1130:11
    #41 0x7f83db2532c0 in mozilla::dom::Selection::AddRangeInternal(nsRange&, nsIDocument*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Selection.cpp:2359:14
    #42 0x7f83db252cc4 in AddRange /builds/worker/workspace/build/src/dom/base/Selection.cpp:2325:10
    #43 0x7f83db252cc4 in mozilla::dom::Selection::AddRange(nsIDOMRange*) /builds/worker/workspace/build/src/dom/base/Selection.cpp:2310

previously allocated by thread T0 (file:// Content) here:
    #0 0x4bed33 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4ef79d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7f83ddc9b70a in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:159:12
    #3 0x7f83ddc9b70a in nsTextEditorState::Construct(nsITextControlElement*, nsTextEditorState**) /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:1179
    #4 0x7f83ddad66ce in mozilla::dom::HTMLInputElement::HTMLInputElement(already_AddRefed<mozilla::dom::NodeInfo>&, mozilla::dom::FromParser, mozilla::dom::HTMLInputElement::FromClone) /builds/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1159:5
    #5 0x7f83ddac7aec in NS_NewHTMLInputElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:124:1
    #6 0x7f83ddc61b2d in CreateHTMLElement(unsigned int, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:254:41
    #7 0x7f83dafcc73a in nsContentUtils::NewXULOrHTMLElement(mozilla::dom::Element**, mozilla::dom::NodeInfo*, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:10110:18
    #8 0x7f83ddc61a88 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /builds/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:237:10
    #9 0x7f83db4e94be in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/dom/base/nsNameSpaceManager.cpp:183:12
    #10 0x7f83db3c78d1 in nsDocument::CreateElem(nsTSubstring<char16_t> const&, nsAtom*, int, nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8506:17
    #11 0x7f83db3ae577 in nsDocument::CreateElement(nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5946:26
    #12 0x7f83dcd45d9c in mozilla::dom::DocumentBinding::createElement(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:1229:59
    #13 0x7f83dd3aed87 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3036:13
    #14 0x7f83e3df6a34 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #15 0x7f83e3df6a34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #16 0x7f83e3de1a66 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #17 0x7f83e3de1a66 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
    #18 0x7f83e3dc8410 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #19 0x7f83e3df6f6c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #20 0x7f83e3df7a92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #21 0x7f83e48dda6c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3029:12
    #22 0x7f83dccfe65e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #23 0x7f83dd8a293a in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #24 0x7f83dd8a293a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #25 0x7f83dd869121 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:51
    #26 0x7f83dd86b032 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:20
    #27 0x7f83dd854792 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:496:16
    #28 0x7f83dd8581b8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:865:9
    #29 0x7f83dfd40f78 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1072:7
    #30 0x7f83e307354d in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7259:21
    #31 0x7f83e306f5fa in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7052:7
    #32 0x7f83e307726f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #33 0x7f83da108837 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1319:3

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:1799:10 in nsTextEditorState::SetSelectionRange(unsigned int, unsigned int, nsITextControlFrame::SelectionDirection, mozilla::ErrorResult&)
Shadow bytes around the buggy address:
  0x0c18800470c0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c18800470d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c18800470e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c18800470f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1880047100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1880047110: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
  0x0c1880047120: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1880047130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1880047140: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880047150: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1880047160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31055==ABORTING
Attached file ASAN output
Group: core-security → dom-core-security
Makoto, can you look into this security bug?
It has a test case and it's idle for almost three weeks.

We usually aim for a 2 weeks timeline for sec-high bugs.
Assignee: nobody → m_kato
Flags: needinfo?(m_kato)
I am looking...
Flags: needinfo?(m_kato)
Priority: -- → P1
OK, nsTextEditorState doesn't hold myself.  When type is changed, it will be released unfortunately, then use-after-free occurs.
This might be regression by bug 1343037.  Before bug 1343037, SetSelctionRange will destroy myself.  But no one touches this after that.
Attached patch crashtestSplinter Review
Comment on attachment 8950821 [details] [diff] [review]
Don't destroy nsTextEditorState immediately

setSelectionRange can fire selectionstart event.  When selectionstart event listener changes type attribute of input element, HTMLInputElement destroys nsTextEditorState if new type isn't text etc.  But since setSelectionRange is implemented by nsTextEditorState, it causes use-after-free by changing type attribute on event handler.

nsTextEditorState isn't refcountable, so it should be destroyed lazy when on type changed.

Also, due to changing type, some frame will be unbind.  So we need additional check whether frame isn't nullptr by selection related method/event.
Attachment #8950821 - Flags: review?(bugs)
Comment on attachment 8950821 [details] [diff] [review]
Don't destroy nsTextEditorState immediately

This looks very heavy weight. I would be surprised if async deletion doesn't show up in some microbenchmarks. 
And event loop may spin right after type attribute has been changed, before Selection::AddItem returns. Wouldn't that still cause us to delete nsTextEditorState too early? 

Since the stack traces in comment 0 are missing the interesting bits, could you explain where we're actually crashing, or where we enter to mozilla::dom::Selection::AddRange.
Is it around
     aRv = mBoundFrame->SetSelectionRange(aStart, aEnd, aDirection);
-    if (aRv.Failed()) {
+    if (aRv.Failed() || !mBoundFrame) {
Could we use weakframe tricks, like is used elsewhere in nsTextEditorState?
Attachment #8950821 - Flags: review?(bugs) → review-
Stack of deleting nsTextEditorState 

 ChildEBP RetAddr
04d39414 129ebad7 xul!nsTextEditorState::~nsTextEditorState
04d39420 129d9dd1 xul!mozilla::dom::HTMLInputElement::ReleaseTextEditorState+0x36
04d39430 129e182b xul!mozilla::dom::HTMLInputElement::FreeData+0x37
04d3958c 129d34c3 xul!mozilla::dom::HTMLInputElement::HandleTypeChange+0x14b
04d39680 11dba82b xul!mozilla::dom::HTMLInputElement::AfterSetAttr+0x231
04d398fc 11dba1f2 xul!mozilla::dom::Element::SetAttrAndNotify+0x543
04d39978 126ca5e7 xul!mozilla::dom::Element::SetAttr+0x250
(Inline) -------- xul!mozilla::dom::Element::SetAttr+0x1b
(Inline) -------- xul!mozilla::dom::Element::SetAttr+0x1b
(Inline) -------- xul!mozilla::dom::Element::SetAttr+0x1b
(Inline) -------- xul!nsGenericHTMLElement::SetHTMLAttr+0x1b
(Inline) -------- xul!mozilla::dom::HTMLInputElement::SetType+0x1b
04d39a80 127d3eab xul!mozilla::dom::HTMLInputElementBinding::set_type+0x12c
04d39ad4 15238194 xul!mozilla::dom::GenericBindingSetter+0x122
04d39afc 15241a5d xul!js::CallJSNative+0x74
04d39b5c 1524171d xul!js::InternalCallOrConstruct+0x21d
04d39b90 15238590 xul!InternalCall+0xfd
(Inline) -------- xul!js::Call+0x33
04d39c10 14e7bee5 xul!js::CallSetter+0xc0
04d39c78 14e6dbd9 xul!SetExistingProperty+0x385
04d39cec 14a7eba5 xul!js::NativeSetProperty<1>+0x1f9
04d39d0c 1525299b xul!js::SetProperty+0x55
04d39d44 1524482f xul!SetPropertyOperation+0x8b
04d3a4e4 15251385 xul!Interpret+0x24bf
04d3a590 15241b13 xul!js::RunScript+0x235
04d3a5ec 1524171d xul!js::InternalCallOrConstruct+0x2d3
04d3a620 15237e54 xul!InternalCall+0xfd
04d3a634 14a58be1 xul!js::Call+0x34
04d3a6fc 125dbe04 xul!JS::Call+0xd1
04d3a7ec 1292267a xul!mozilla::dom::EventHandlerNonNull::Call+0x165
04d3a914 12931365 xul!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>+0x110
04d3aad0 1293211a xul!mozilla::JSEventHandler::HandleEvent+0x657
04d3ab1c 12931b87 xul!mozilla::EventListenerManager::HandleEventSubType+0xd8
04d3adb8 12930ba6 xul!mozilla::EventListenerManager::HandleEventInternal+0x56b
04d3add8 12930ca2 xul!mozilla::EventListenerManager::HandleEvent+0x54
04d3ae00 129322ee xul!mozilla::EventTargetChainItem::HandleEvent+0xe1
04d3ae24 1292ccb9 xul!mozilla::EventTargetChainItem::HandleEventTargetChain+0x14d
04d3aec4 1292d5d4 xul!mozilla::EventDispatcher::Dispatch+0x8da
04d3aef8 11e7eb80 xul!mozilla::EventDispatcher::DispatchDOMEvent+0xba
04d3af20 11d143bd xul!nsINode::DispatchEvent+0x69
04d3af50 11d14514 xul!nsContentUtils::DispatchEvent+0xe3
04d3af78 11de5c27 xul!nsContentUtils::DispatchTrustedEvent+0x1e
04d3afd8 11de6604 xul!mozilla::dom::Selection::AddItem+0x22d
04d3affc 11de6520 xul!mozilla::dom::Selection::AddRangeInternal+0xa7
(Inline) -------- xul!mozilla::dom::Selection::AddRange+0x2a
04d3b044 135c42cf xul!mozilla::dom::Selection::AddRange+0x59
04d3b078 135c4049 xul!nsTextControlFrame::SetSelectionInternal+0x214
04d3b0ac 135c4471 xul!nsTextControlFrame::SetSelectionEndPoints+0x13a
04d3b0c8 12a59180 xul!nsTextControlFrame::SetSelectionRange+0x71
04d3b19c 12a59077 xul!nsTextEditorState::SetSelectionRange+0xf3
04d3b1b8 126f95cd xul!nsTextEditorState::SetSelectionRange+0x3f
04d3b2bc 127d3ce3 xul!mozilla::dom::HTMLInputElementBinding::setSelectionRange+0x1af
04d3b31c 15238194 xul!mozilla::dom::GenericBindingMethod+0x10d
04d3b344 15241a5d xul!js::CallJSNative+0x74
04d3b3a4 1524171d xul!js::InternalCallOrConstruct+0x21d
04d3b3d8 15245315 xul!InternalCall+0xfd
04d3bb6c 15251385 xul!Interpret+0x2fa5
04d3bc18 15241b13 xul!js::RunScript+0x235
04d3bc74 1524171d xul!js::InternalCallOrConstruct+0x2d3
04d3bca8 15237e54 xul!InternalCall+0xfd
04d3bcbc 14a58be1 xul!js::Call+0x34
04d3bd84 125dbe04 xul!JS::Call+0xd1
04d3be74 1292267a xul!mozilla::dom::EventHandlerNonNull::Call+0x165
04d3bf9c 12931365 xul!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>+0x110
04d3c158 1293211a xul!mozilla::JSEventHandler::HandleEvent+0x657
04d3c1a4 12931b87 xul!mozilla::EventListenerManager::HandleEventSubType+0xd8
04d3c440 12930ba6 xul!mozilla::EventListenerManager::HandleEventInternal+0x56b
04d3c460 12930ca2 xul!mozilla::EventListenerManager::HandleEvent+0x54
04d3c488 129322ee xul!mozilla::EventTargetChainItem::HandleEvent+0xe1
04d3c4ac 1292ccb9 xul!mozilla::EventTargetChainItem::HandleEventTargetChain+0x14d
04d3c54c 13438866 xul!mozilla::EventDispatcher::Dispatch+0x8da
04d3c584 1344642a xul!mozilla::PresShell::DispatchEventToDOM+0xf6
04d3c600 13446d40 xul!mozilla::PresShell::HandleEventInternal+0x53f
04d3c630 12a52b8b xul!mozilla::PresShell::HandleEventWithTarget+0x103
04d3c6ec 132676d4 xul!mozilla::TextInputListener::OnSelectionChange+0x108
04d3c708 11df501e xul!mozilla::EditorBase::NotifySelectionChanged+0x74
04d3c780 1356441d xul!mozilla::dom::Selection::NotifySelectionListeners+0x2a8
04d3c790 11ded483 xul!nsFrameSelection::NotifySelectionListeners+0x36
04d3c7ec 11decd98 xul!mozilla::dom::Selection::Extend+0x6b6
04d3c830 1357bdda xul!mozilla::dom::Selection::Extend+0x41
04d3c93c 13563189 xul!nsFrameSelection::TakeFocus+0x344
04d3ca04 135666f9 xul!nsFrameSelection::MoveCaret+0x4be
04d3ca40 12a544f7 xul!nsFrameSelection::PhysicalMove+0x151
04d3ca5c 13255c2e xul!nsTextInputSelectionImpl::PhysicalMove+0x30
04d3ca8c 128dc0d4 xul!mozilla::SelectionMoveCommands::DoCommand+0x1e0
04d3caac 128dbf6e xul!nsControllerCommandTable::DoCommand+0x64
04d3cad0 13006615 xul!nsBaseCommandController::DoCommand+0x8c
04d3cb60 13008499 xul!nsXBLPrototypeHandler::DispatchXBLCommand+0x313
04d3ccb8 1302094a xul!nsXBLPrototypeHandler::ExecuteHandler+0x10c
04d3ccec 13020b3c xul!nsXBLWindowKeyHandler::WalkHandlersAndExecute+0x1f5
04d3cd80 13020708 xul!nsXBLWindowKeyHandler::WalkHandlersInternal+0x6a
04d3cdb0 1301f1ab xul!nsXBLWindowKeyHandler::WalkHandlers+0xd8
04d3cdd0 1293211a xul!nsXBLWindowKeyHandler::HandleEvent+0xd0
04d3ce1c 12931b87 xul!mozilla::EventListenerManager::HandleEventSubType+0xd8
04d3d0b8 12930ba6 xul!mozilla::EventListenerManager::HandleEventInternal+0x56b
04d3d0d8 12930ca2 xul!mozilla::EventListenerManager::HandleEvent+0x54
04d3d100 129322ee xul!mozilla::EventTargetChainItem::HandleEvent+0xe1
04d3d124 1293236c xul!mozilla::EventTargetChainItem::HandleEventTargetChain+0x14d
04d3d150 1292ccb9 xul!mozilla::EventTargetChainItem::HandleEventTargetChain+0x1cb
04d3d1f0 1292d5d4 xul!mozilla::EventDispatcher::Dispatch+0x8da
04d3d224 11e7eb80 xul!mozilla::EventDispatcher::DispatchDOMEvent+0xba
04d3d24c 1292d63e xul!nsINode::DispatchEvent+0x69
04d3d264 125a3e2c xul!mozilla::dom::EventTarget::DispatchEvent+0x15
04d3d2b8 125a9663 xul!mozilla::dom::EventTargetBinding::dispatchEvent+0xe1
04d3d30c 149f53c3 xul!mozilla::dom::EventTargetBinding::genericMethod+0x19b
04d3d320 15238194 xul!js::CompartmentChecker::check+0x23
04d3d354 15241a5d xul!js::CallJSNative+0x74
04d3d3b4 1524171d xul!js::InternalCallOrConstruct+0x21d
04d3d3e8 15245315 xul!InternalCall+0xfd
04d3db7c 15251385 xul!Interpret+0x2fa5
04d3dc28 15241b13 xul!js::RunScript+0x235
04d3dc84 1524171d xul!js::InternalCallOrConstruct+0x2d3
04d3dcb8 15237e54 xul!InternalCall+0xfd
04d3dccc 14a67bdf xul!js::Call+0x34
04d3ddb4 1171bd87 xul!JS_CallFunctionValue+0x18f
04d3de94 15238194 xul!xpc::FunctionForwarder+0x305
04d3debc 15241a5d xul!js::CallJSNative+0x74
04d3df1c 1524171d xul!js::InternalCallOrConstruct+0x21d
04d3df50 15245315 xul!InternalCall+0xfd
04d3e6e4 15251385 xul!Interpret+0x2fa5
04d3e790 15241b13 xul!js::RunScript+0x235
04d3e7ec 1524171d xul!js::InternalCallOrConstruct+0x2d3
04d3e820 15237e54 xul!InternalCall+0xfd
04d3e834 14a58be1 xul!js::Call+0x34
04d3e8fc 125dbe04 xul!JS::Call+0xd1
04d3e9ec 1292267a xul!mozilla::dom::EventHandlerNonNull::Call+0x165
04d3eb14 12931365 xul!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>+0x110
04d3ecd0 1293211a xul!mozilla::JSEventHandler::HandleEvent+0x657
04d3ed18 12931b87 xul!mozilla::EventListenerManager::HandleEventSubType+0xd8
04d3efb4 12930ba6 xul!mozilla::EventListenerManager::HandleEventInternal+0x56b
04d3efd4 12930ca2 xul!mozilla::EventListenerManager::HandleEvent+0x54
04d3effc 129322ee xul!mozilla::EventTargetChainItem::HandleEvent+0xe1
04d3f020 1292ccb9 xul!mozilla::EventTargetChainItem::HandleEventTargetChain+0x14d
04d3f0c0 1292d5d4 xul!mozilla::EventDispatcher::Dispatch+0x8da
04d3f0f4 11e7eb80 xul!mozilla::EventDispatcher::DispatchDOMEvent+0xba
04d3f11c 1291e06e xul!nsINode::DispatchEvent+0x69
04d3f148 10d3f44e xul!mozilla::AsyncEventDispatcher::Run+0x190
04d3f194 10d51b46 xul!mozilla::SchedulerGroup::Runnable::Run+0x3c
04d3f724 10d5c545 xul!nsThread::ProcessNextEvent+0x4ec
04d3f744 1123456b xul!NS_ProcessNextEvent+0x5a
04d3f764 112346c7 xul!mozilla::ipc::MessagePump::Run+0x127
04d3f77c 11205592 xul!mozilla::ipc::MessagePumpForChildProcess::Run+0xb9
04d3f79c 1120552e xul!MessageLoop::RunInternal+0x49
04d3f7d0 11205152 xul!MessageLoop::RunHandler+0x50
04d3f7f0 131b5a10 xul!MessageLoop::Run+0x19
04d3f800 13211667 xul!nsBaseAppShell::Run+0x47
04d3f810 1489b296 xul!nsAppShell::Run+0x1f
04d3f824 1123463c xul!XRE_RunAppShell+0x4f
04d3f838 11205592 xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x2e
04d3f858 1120552e xul!MessageLoop::RunInternal+0x49
04d3f88c 11205152 xul!MessageLoop::RunHandler+0x50
04d3f8ac 1489aac2 xul!MessageLoop::Run+0x19
04d3f9d0 148a5da7 xul!XRE_InitChildProcess+0x6e4
04d3f9e4 00275149 xul!mozilla::BootstrapImpl::XRE_InitChildProcess+0x11
04d3fa10 00274de1 firefox!content_process_main+0xa4
04d3fa50 00275824 firefox!NS_internal_main+0x8c
04d3fa90 002bc1fb firefox!wmain+0x12e
(Inline) -------- firefox!invoke_main+0x1c
04d3fad8 765e8654 firefox!__scrt_common_main_seh+0xf9
04d3faec 76f64a77 KERNEL32!BaseThreadInitThunk+0x24
04d3fb34 76f64a47 ntdll!__RtlUserThreadStart+0x2f
04d3fb44 00000000 ntdll!_RtlUserThreadStart+0x1b
(In reply to Olli Pettay [:smaug] from comment #9)
> Comment on attachment 8950821 [details] [diff] [review]
> Don't destroy nsTextEditorState immediately
> 
> Since the stack traces in comment 0 are missing the interesting bits, could
> you explain where we're actually crashing, or where we enter to
> mozilla::dom::Selection::AddRange.
> Is it around
>      aRv = mBoundFrame->SetSelectionRange(aStart, aEnd, aDirection);
> -    if (aRv.Failed()) {
> +    if (aRv.Failed() || !mBoundFrame) {
> Could we use weakframe tricks, like is used elsewhere in nsTextEditorState?

delete nsTextEditorState's  stack is comment #10.  HTMLInputElement::HandleTypeChange destroys nsTextEditorState.

Since nsTextEditorState is destroyed, nsTextEditorState::mBooudnFrame (before delete nsTextEditorState) is clear by UnbindFromFrame via HTMLInputElement::FreeData.

I should use weakPtr simply, so new patch is coming soon.
Comment on attachment 8951160 [details] [diff] [review]
Use WeakPtr to detect whether nsTextEdtiorState is destroyed

mBoundFrame->SetSelectionRange in sTextEditorState::SetSelectionRange can destroy own (nsTextEditorState) when selection event handler set type attribute to others such as hidden.  So to detect myself is destroyed, we should use WeakPtr for nsTextEditorState.

Also, nsTextEditorState::UnbindFromFrame resets frame of TextInputListener.  we should add nullptr check for TextInputListener::mFrame.
Attachment #8951160 - Flags: review?(bugs)
Attachment #8951160 - Flags: review?(bugs) → review+
Comment on attachment 8951160 [details] [diff] [review]
Use WeakPtr to detect whether nsTextEdtiorState is destroyed

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Attacker has to know a pointer address of nsTextEditorState to create exploit.  But attacker might be able to cause this UAF by script.  If an event handler of select / selectstart event by input.setSelectionRange changes type attribute of input element, UAF might be occurred.

From this patch, anyone thinks that this is a kind of UAF since we check whether object (nsTextEditorState) is still alive.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No

Which older supported branches are affected by this flaw?

Firefox 55+

If not all supported branches, which bug introduced the flaw?

Bug 1343037

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Yes.

How likely is this patch to cause regressions; how much testing does it need?

Too low. Because I add a check whether nsTextEditorState is still alive or not.
Attachment #8951160 - Flags: sec-approval?
Attached patch rebase For 59Splinter Review
Comment on attachment 8951210 [details] [diff] [review]
rebase For 59

Approval Request Comment
[Feature/Bug causing the regression]:
Bug 1343037

[User impact if declined]:
Use after free by script.

[Is this code covered by automated tests?]:
No because this is security issue.  But I attach a crash test for this

[Has the fix been verified in Nightly?]:
No, I don't land this yet since this is security bug.

[Needs manual test from QE? If yes, steps to reproduce]: 
No

[List of other uplifts needed for the feature/fix]:
N/A

[Is the change risky?]:
Low.

[Why is the change risky/not risky?]:
This patch adds a check whether nsTextEditorState is still alive or not.

[String changes made/needed]:
No
Attachment #8951210 - Flags: approval-mozilla-beta?
Flags: sec-bounty?
sec-approval+ for trunk and I'll give beta approval as well.
Attachment #8951210 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #8951160 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/477829f02dd7
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Group: dom-core-security → core-security-release
Blocks: 1343037
Flags: sec-bounty? → sec-bounty+
Keywords: regression
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
I  have manage  to reproduce this issue on Firefox 59.0a1 asan build (20180118215337) under Ubuntu 16.04 x64, after installing the FuzzPriv extension ( with the following pref settings:  xpinstall.signatures.required - false; extensions.legacy.enabled - true; extensions.allow-non-mpc-extensions - true).
I couldn’t reproduce it instead, on a fuzzing build (with fuzzing.enabled pref set on true).

I have tried to verify if this bug is still reproducible, but I can only confirm the fix on Firefox Nightly 60.0a1 asan build  (20180305094156), under Ubuntu 16.04 x64. I couldn’t install the FuzzPriv extension on the Firefox Beta 59.0b14 asan build (20180303215307).

Nils, could you please tell me if there is another way to install the FuzzPriv extension or to verify, both the reproducibility and the fix of this issue on Firefox Beta?
Flags: needinfo?(nils)
(In reply to Anca Soncutean [:Anca], Desktop Release QA from comment #21)

> Nils, could you please tell me if there is another way to install the
> FuzzPriv extension or to verify, both the reproducibility and the fix of
> this issue on Firefox Beta?

Anca, the fuzzPriv extension is a legacy extension and is not supported on release or beta. There is a web extension version available [1] with a subset of features. Bug 1343955 is open to get support for trustedKeyEvent which is required by this bug.

[1] https://github.com/MozillaSecurity/fuzzpriv
So, I see that I can't verify this bug's behavior on Firefox Beta until the implementation of trustedKeyEvent in FuzzingFunctions is done. Therefore, based on comment 21 and comment 22, I will mark this issue verified only on Firefox Nigthly 60.
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main59+]
Alias: CVE-2018-5128
Flags: in-testsuite?
Group: core-security-release
Hi, This issue can only be tested in Nightly and since its been verified already I will mark this issue accordingly.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.