Closed Bug 1450881 Opened 2 years ago Closed 2 years ago

heap-use-after-free in mozilla::dom::KeyframeEffectReadOnly::SetKeyframes

Categories

(Core :: DOM: Animation, defect)

61 Branch
defect
Not set

Tracking

()

VERIFIED FIXED
mozilla61
Tracking Status
firefox-esr52 --- disabled
firefox-esr60 --- disabled
firefox59 --- disabled
firefox60 --- disabled
firefox61 + verified

People

(Reporter: nils, Assigned: hiro)

References

Details

(5 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(5 files)

The following testcase crashes the latest ASAN fuzzing build (--enable-fuzzing) of Firefox 61.0a1 (SourceStamp=d75d996016dcf325c2db2ed8a47af512d07ffacd). It requires the pref fuzzing.enabled=true. 


crash.html:
<script>
function spin () {
    var x=new XMLHttpRequest();
    x.open("POST","https://mozilla.org",false);
    try{x.send("X");}catch(e){}
}
function start() {
	o97=document.createElement('ol');
	o101=document.createElement('li');
	o97.appendChild(o101);
	o102=document.createElement('li');
	o97.appendChild(o102);
	document.documentElement.appendChild(o97);
	o143=new KeyframeEffect(o101,[{columnGap: 'inherit'},{columnGap: 'normal'}],{"duration":134217713});
	o153=document.createElement('marquee');
	o153.addEventListener('DOMAttrModified',fun0);
	o102.appendChild(o153);
	o143.setKeyframes([{flexGrow: '32765'},{flexGrow: '40960'}]);
}
function fun0() {
	o101.remove();
	o143.target=null;
	o101=null;
	o102=null;
	o153=null;
	FuzzingFunctions.garbageCollect();
	FuzzingFunctions.cycleCollect();
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==23064==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00004b138 at pc 0x7f2f57e07a9e bp 0x7ffe21c38a70 sp 0x7ffe21c38a68
READ of size 4 at 0x60d00004b138 thread T0 (file:// Content)
    #0 0x7f2f57e07a9d in HasFlag /builds/worker/workspace/build/src/dom/base/nsWrapperCache.h:264:15
    #1 0x7f2f57e07a9d in IsInShadowTree /builds/worker/workspace/build/src/dom/base/nsINode.h:1267
    #2 0x7f2f57e07a9d in GetComposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:630
    #3 0x7f2f57e07a9d in nsContentUtils::GetPresShellForContent(nsIContent const*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3430
    #4 0x7f2f5cffbf5a in GetComputedStyleNoFlush /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.h:110:38
    #5 0x7f2f5cffbf5a in nsComputedDOMStyle::GetComputedStyle(mozilla::dom::Element*, nsAtom*, nsComputedDOMStyle::StyleType) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:465
    #6 0x7f2f57da0748 in GetTargetComputedStyle /builds/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:836:10
    #7 0x7f2f57da0748 in mozilla::dom::KeyframeEffectReadOnly::SetKeyframes(JSContext*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:193
    #8 0x7f2f5a8367f2 in mozilla::dom::KeyframeEffectBinding::setKeyframes(JSContext*, JS::Handle<JSObject*>, mozilla::dom::KeyframeEffect*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/KeyframeEffectBinding.cpp:1500:9
    #9 0x7f2f5a85f061 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3032:13
    #10 0x7f2f61113a17 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #11 0x7f2f61113a17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #12 0x7f2f610fe4d1 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #13 0x7f2f610fe4d1 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #14 0x7f2f610e491a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #15 0x7f2f61113795 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #16 0x7f2f61114a12 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #17 0x7f2f61c3ed1d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3003:12
    #18 0x7f2f59f6e39e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #19 0x7f2f5afb3d39 in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #20 0x7f2f5afb3d39 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #21 0x7f2f5af7c74c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1090:51
    #22 0x7f2f5af7dfc5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1259:20
    #23 0x7f2f5af68837 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:527:16
    #24 0x7f2f5af6c5d3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:917:9
    #25 0x7f2f5d24f118 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1066:7
    #26 0x7f2f603bd38b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7292:21
    #27 0x7f2f603b94f9 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7085:7
    #28 0x7f2f603c108f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #29 0x7f2f56ecf867 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1315:3
    #30 0x7f2f56ece8ea in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:858:14
    #31 0x7f2f56ecb4c5 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:747:9
    #32 0x7f2f56ecd48c in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:632:5
    #33 0x7f2f56ece4ac in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #34 0x7f2f5526a6fa in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #35 0x7f2f5822b7aa in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8323:18
    #36 0x7f2f5822b7aa in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8245
    #37 0x7f2f5820b47a in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5311:3
    #38 0x7f2f5831f914 in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1164:12
    #39 0x7f2f5831f914 in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1170
    #40 0x7f2f5831f914 in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1215
    #41 0x7f2f55077384 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:415:25
    #42 0x7f2f55096ae8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #43 0x7f2f550b2e50 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #44 0x7f2f55f8219a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #45 0x7f2f55ed1f69 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #46 0x7f2f55ed1f69 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #47 0x7f2f55ed1f69 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #48 0x7f2f5cba982a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #49 0x7f2f60e2f01b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #50 0x7f2f55ed1f69 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #51 0x7f2f55ed1f69 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #52 0x7f2f55ed1f69 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #53 0x7f2f60e2e9fa in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #54 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #55 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #56 0x7f2f74dc482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #57 0x42476c in _start (/fuzzer3/firefox/firefox+0x42476c)

0x60d00004b138 is located 24 bytes inside of 136-byte region [0x60d00004b120,0x60d00004b1a8)
freed by thread T0 (file:// Content) here:
    #0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f2f54f200a0 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25
    #2 0x7f2f54f2845f in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3
    #3 0x7f2f54f2845f in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3925
    #4 0x7f2f54f2794d in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3746:9
    #5 0x7f2f54f2b516 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4315:21
    #6 0x7f2f582f443b in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1503:3
    #7 0x7f2f5a211ba9 in mozilla::dom::FuzzingFunctionsBinding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:50:3
    #8 0x7f2f61113a17 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #9 0x7f2f61113a17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #10 0x7f2f610fe4d1 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #11 0x7f2f610fe4d1 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #12 0x7f2f610e491a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #13 0x7f2f61113795 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #14 0x7f2f61114a12 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #15 0x7f2f61c3ed1d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3003:12
    #16 0x7f2f59f7314f in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #17 0x7f2f5af7c701 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #18 0x7f2f5af7c701 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1087
    #19 0x7f2f5af7dfc5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1259:20
    #20 0x7f2f5af68b37 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:559:14
    #21 0x7f2f5af6c5d3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:917:9
    #22 0x7f2f5af6e8ec in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:996:12
    #23 0x7f2f582d8bd4 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1174:5
    #24 0x7f2f5af02713 in mozilla::AsyncEventDispatcher::Run() /builds/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:70:12
    #25 0x7f2f57e1bfcf in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5653:15
    #26 0x7f2f58207957 in nsDocument::EndUpdate(unsigned int) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5086:3
    #27 0x7f2f5b36142c in nsHTMLDocument::EndUpdate(unsigned int) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2121:15
    #28 0x7f2f5d070dea in ~mozAutoDocConditionalContentUpdateBatch /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:83:18
    #29 0x7f2f5d070dea in ModifyDeclaration<(lambda at /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:318:5), (lambda at /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:321:5)> /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:308
    #30 0x7f2f5d070dea in nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsTSubstring<char16_t> const&, bool, nsIPrincipal*) /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:316
    #31 0x7f2f58738d90 in SetMargin /builds/worker/workspace/build/src/layout/style/nsCSSPropList.h:2033:1
    #32 0x7f2f58738d90 in mozilla::dom::CSS2PropertiesBinding::set_margin(JSContext*, JS::Handle<JSObject*>, nsDOMCSSDeclaration*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSS2PropertiesBinding.cpp:17461
    #33 0x7f2f5a85e703 in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2993:8
    #34 0x7f2f61113a17 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #35 0x7f2f61113a17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #36 0x7f2f61116646 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:516:12
    #37 0x7f2f61116646 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
    #38 0x7f2f61116646 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:664
    #39 0x7f2f620e4e9b in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2786:10

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f5f7d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7f2f5b1fef13 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12
    #3 0x7f2f5b1fef13 in NS_NewHTMLLIElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/HTMLLIElement.cpp:16
    #4 0x7f2f5b340ec9 in CreateHTMLElement(unsigned int, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:252:41
    #5 0x7f2f57e4584b in nsContentUtils::NewXULOrHTMLElement(mozilla::dom::Element**, mozilla::dom::NodeInfo*, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:10105:18
    #6 0x7f2f5b340e28 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /builds/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:235:10
    #7 0x7f2f58337e62 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/dom/base/nsNameSpaceManager.cpp:184:12
    #8 0x7f2f58212f3f in nsIDocument::CreateElem(nsTSubstring<char16_t> const&, nsAtom*, int, nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7858:17
    #9 0x7f2f58212960 in nsIDocument::CreateElement(nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5680:26
    #10 0x7f2f59fcad68 in mozilla::dom::DocumentBinding::createElement(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:1261:59
    #11 0x7f2f5a85f061 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3032:13
    #12 0x7f2f61113a17 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #13 0x7f2f61113a17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #14 0x7f2f610fe4d1 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #15 0x7f2f610fe4d1 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #16 0x7f2f610e491a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #17 0x7f2f61113795 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #18 0x7f2f61114a12 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #19 0x7f2f61c3ed1d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3003:12
    #20 0x7f2f59f6e39e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #21 0x7f2f5afb3d39 in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #22 0x7f2f5afb3d39 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #23 0x7f2f5af7c74c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1090:51
    #24 0x7f2f5af7dfc5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1259:20
    #25 0x7f2f5af68837 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:527:16
    #26 0x7f2f5af6c5d3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:917:9
    #27 0x7f2f5d24f118 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1066:7
    #28 0x7f2f603bd38b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7292:21
    #29 0x7f2f603b94f9 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7085:7
    #30 0x7f2f603c108f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #31 0x7f2f56ecf867 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1315:3
    #32 0x7f2f56ece8ea in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:858:14
    #33 0x7f2f56ecb4c5 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:747:9

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/base/nsWrapperCache.h:264:15 in HasFlag
Shadow bytes around the buggy address:
  0x0c1a800015d0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1a800015e0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1a800015f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a80001600: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c1a80001610: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c1a80001620: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c1a80001630: fd fd fd fd fd fa fa fa fa fa fa fa fa fa 00 00
  0x0c1a80001640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1a80001650: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1a80001660: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c1a80001670: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23064==ABORTING
Attached file ASAN output
Group: core-security → dom-core-security
Brian, could you find somebody to investigate the sec-high bug? 
Thx!
Flags: needinfo?(bbirtles)
Hmm, that's odd. KeyframeEffectReadOnly::GetRenderedDocument() should be returning null causing us to return early in that first stack.
(In reply to Brian Birtles (:birtles) from comment #3)
> Hmm, that's odd. KeyframeEffectReadOnly::GetRenderedDocument() should be
> returning null causing us to return early in that first stack.

My gut feeling tells me that we should check nsIPresShell::IsDetroying() too in such cases?
Anyway I started building an ASAN build.
(In reply to Hiroyuki Ikezoe (:hiro) from comment #4)
> (In reply to Brian Birtles (:birtles) from comment #3)
> > Hmm, that's odd. KeyframeEffectReadOnly::GetRenderedDocument() should be
> > returning null causing us to return early in that first stack.
> 
> My gut feeling tells me that we should check nsIPresShell::IsDetroying() too
> in such cases?

That doesn't work since the element is destroyed in nsComputedDOMStyle::GetComputedStyle() [1] instead of code in dom/animation/.  And yeah, the destroying object in question is not a document it's the target element of the animation.

[1] https://hg.mozilla.org/mozilla-central/file/99c19a66c3a2/layout/style/nsComputedDOMStyle.cpp#l462
Oh, does the DOMAttrModified callback run inside nsComputedDOMStyle::GetComputedStyle?
We've discussed this and Hiro seems to have a good handle on it.
Assignee: nobody → hikezoe
Status: NEW → ASSIGNED
Flags: needinfo?(bbirtles)
Here is a similar test case using getAnimations() instead of setKeyframes().

I thought this also causes the use-after-free at the place where we call nsINode::IsElement()[1], but actually the test doesn't cause the use-after-free.  I did confirm that, in the test case, the target element is nullified in the callback, so that means that someone still holds a reference of the target element.  I guess it's JS context, but I don't have enough knowledge about JS to confirm it.

[1] https://hg.mozilla.org/mozilla-central/file/8d85e4da2546/dom/base/Element.cpp#l3750
Note that initially I wrote code something like this;

  OwningAnimationTarget kungfuDeathGrip(mTarget->mElement,
                                        mTarget->mPseudoType);

  RefPtr<ComputedStyle> style =  nsComputedDOMStyle::GetComputedStyle(mTarget->mElement, pseudo);
  if (!mTarget) {
    return nullptr;
  }

  return style.forget();

But it turns out that GetComputedStyle() returns nullptr in the failure case, so I just added a kungfu death grip there.
Brian, can you take time to review the patch?

I am going to check whether this flaw exists on version 60 or 59.  The preference value which needs to reproduce the use-after-free is disabled by default on beta and release channels though.
Flags: needinfo?(bbirtles)
Comment on attachment 8971187 [details] [diff] [review]
Hold a reference of the target element when we get style for the element

Review of attachment 8971187 [details] [diff] [review]:
-----------------------------------------------------------------

Thank you!
Attachment #8971187 - Flags: review+
Comment on attachment 8971188 [details] [diff] [review]
The crash test when setting null target during flush style

Review of attachment 8971188 [details] [diff] [review]:
-----------------------------------------------------------------

r=me assuming this reproduces the failure without the code changes.
Attachment #8971188 - Flags: review+
Flags: needinfo?(bbirtles)
Comment on attachment 8971187 [details] [diff] [review]
Hold a reference of the target element when we get style for the element

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
It will be really hard.  I am surprised that no fuzzer found this until version 61, actually this flaw was introduced in version 49 (bug 1067769).

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
I don't think so.

Which older supported branches are affected by this flaw?
On ESR 52.  But to exploit this v1067769ulnerability a preference named "dom.animations-api.core.enabled" which is disabled by default on any release and beta channels has be enabled by users.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
I haven't created for other branches but it's pretty easy.

How likely is this patch to cause regressions; how much testing does it need?
I'd say nothing.  The patch just adds a local strong reference, it shouldn't change any visual behavior and it won't cause extra memory leak either.
Attachment #8971187 - Flags: sec-approval?
This is too late for the Firefox 60 release. There are no betas left and we're about to make release candidates. This can be checked in on May 22 (AND NO EARLIER), which is two weeks into the next cycle.
Whiteboard: [checkin on 5/22]
Attachment #8971187 - Flags: sec-approval? → sec-approval+
Ryan points out that this is disabled in everything but nightly. If this is the case, we can check this in immediately to trunk.
https://hg.mozilla.org/mozilla-central/rev/11204de188da
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Flags: sec-bounty?
Blocks: 1067769
Flags: sec-bounty? → sec-bounty+
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
I was able to reproduce the error and implicit the crash on Firefox 61.0a1 (20180403040303) asan fuzzing build with the pref fuzzing.enabled set on true, under Ubuntu 16.04 x64 and macOS 10.13, using the test case mentioned in bug’s description.

I’ve tested this again on Firefox 62.0a1 (20180619100119) and Firefox 61.0 (20180619011111) asan fuzzing builds and the  error and the crash didn’t occur anymore. 
Note though, that on Firefox 61.0 (20180619011111), I receive the following error message inside the terminal: JavaScript error: file:///home/anca.soncutean/Desktop/crash.html, line 15: ReferenceError: KeyframeEffect is not defined. Does this error message influence in any way the result of the testing?
Thank you Anca!

(In reply to Anca Soncutean [:Anca], Desktop Release QA from comment #19)

> Note though, that on Firefox 61.0 (20180619011111), I receive the following
> error message inside the terminal: JavaScript error:
> file:///home/anca.soncutean/Desktop/crash.html, line 15: ReferenceError:
> KeyframeEffect is not defined. Does this error message influence in any way
> the result of the testing?

You need to set dom.animations-api.element-animate.enabled true on the release and beta channels.
Thank you Hiroyuki for your prompt reply! It looks like the pref dom.animations-api.element-animate.enabled is set by default on true (beta and release). But the error message, that I mentioned in comment 19 is triggered, regardless if this pref is set on true or false.
Oops!  Sorry, the correct pref name is 'dom.animations-api.core.enabled'.
Setting 'dom.animations-api.core.enabled' pref on true, fixes indeed my error message. Therefore based on the comments 19-22 I will mark this bug as verified fixed.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Group: core-security-release
Pushed by hikezoe@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1edaea454d03
A crash test when setting null target during flush style. r=birtles
Backed out changeset 1edaea454d03 (bug 1450881) for crashtest failures on dom/animation/test/crashtests/1450881-1.html. 


Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/aedb66e051cf1cf8139f270082809a4f20106c34

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=1edaea454d038c3c8f911925e424fd4a1423d74a&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=success&selectedJob=185438344

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=185438344&repo=mozilla-inbound&lineNumber=1132

13:47:50     INFO - REFTEST TEST-START | file:///Users/cltbld/tasks/task_1530218722/build/tests/reftest/tests/dom/animation/test/crashtests/1450881-1.html
13:47:50     INFO - REFTEST TEST-LOAD | file:///Users/cltbld/tasks/task_1530218722/build/tests/reftest/tests/dom/animation/test/crashtests/1450881-1.html | 71 / 3601 (1%)
13:48:01     INFO - 2018-06-28 13:48:01.085 firefox[743:3543] Persistent UI failed to open file file:///Users/cltbld/Library/Saved%20Application%20State/org.mozilla.nightly.savedState/window_1.data: No such file or directory (2)
13:52:50     INFO - REFTEST TEST-UNEXPECTED-FAIL | file:///Users/cltbld/tasks/task_1530218722/build/tests/reftest/tests/dom/animation/test/crashtests/1450881-1.html | load failed: timed out waiting for reftest-wait to be removed
Flags: needinfo?(hikezoe)
Something had been changed?  It seems DOMAttrModified event wasn't fired.
I wasn't aware of bug 1460295.  We need to use an alternative event there.
Flags: needinfo?(hikezoe)
You need to log in before you can comment on or make changes to this bug.