Closed
Bug 1452464
Opened 7 years ago
Closed 7 years ago
use-after-poison in [@ nsSubDocumentFrame::GetSubdocumentPresShellForPainting]
Categories
(Core :: Web Painting, defect, P1)
Core
Web Painting
Tracking
()
VERIFIED
FIXED
mozilla62
People
(Reporter: tsmith, Assigned: mattwoodrow)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, sec-moderate, testcase, Whiteboard: [post-critsmash-triage])
Attachments
(3 files)
|
1.19 KB,
text/html
|
Details | |
|
11.42 KB,
application/x-javascript
|
Details | |
|
3.70 KB,
patch
|
mikokm
:
review+
RyanVM
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
Found in m-c 20180407-aacc170ff3f6
I will attach the testcase once reduction is complete.
==21768==ERROR: AddressSanitizer: use-after-poison on address 0x6250020d5c70 at pc 0x7fd055d7c976 bp 0x7ffcfb4fad70 sp 0x7ffcfb4fad68
READ of size 8 at 0x6250020d5c70 thread T0 (file:// Content)
#0 0x7fd055d7c975 in nsSubDocumentFrame::GetSubdocumentPresShellForPainting(unsigned int) src/layout/generic/nsSubDocumentFrame.cpp:213:8
#1 0x7fd056385752 in IncrementSubDocPresShellPaintCount src/layout/painting/RetainedDisplayListBuilder.cpp:194:42
#2 0x7fd056385752 in MergeState::ProcessOldNode(Index<OldListUnits>, nsTArray<Index<MergedListUnits> >&&) src/layout/painting/RetainedDisplayListBuilder.cpp:354
#3 0x7fd056272249 in MergeState::Finalize() src/layout/painting/RetainedDisplayListBuilder.cpp:296:7
#4 0x7fd05626fdd3 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) src/layout/painting/RetainedDisplayListBuilder.cpp:469:26
#5 0x7fd05627845f in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) src/layout/painting/RetainedDisplayListBuilder.cpp:1075:7
#6 0x7fd055a1e316 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3862:40
#7 0x7fd05590c9fd in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6318:5
#8 0x7fd0552aa27a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
#9 0x7fd0552a907c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
#10 0x7fd0552ae6a6 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
#11 0x7fd05588413f in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2053:11
#12 0x7fd055891760 in TickDriver src/layout/base/nsRefreshDriver.cpp:337:13
#13 0x7fd055891760 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:307
#14 0x7fd055891326 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:329:5
#15 0x7fd05589409e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:770:5
#16 0x7fd05589409e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:683
#17 0x7fd055893c9e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:584:9
#18 0x7fd0561503af in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
#19 0x7fd04ecb88b9 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
#20 0x7fd04eb8ed8a in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
#21 0x7fd04e6bfcce in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2135:25
#22 0x7fd04e6bcc51 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2065:17
#23 0x7fd04e6be44c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1911:5
#24 0x7fd04e6beaa8 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1944:15
#25 0x7fd04d7d8198 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1096:14
#26 0x7fd04d7f45d0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#27 0x7fd0550847d9 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at src/dom/xhr/XMLHttpRequestMainThread.cpp:2926:31)> src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#28 0x7fd0550847d9 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) src/dom/xhr/XMLHttpRequestMainThread.cpp:2926
#29 0x7fd055082ae4 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) src/dom/xhr/XMLHttpRequestMainThread.cpp:2711:11
#30 0x7fd0524367e2 in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1282:9
#31 0x7fd052fca621 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3191:13
#32 0x7fd0598e0a67 in CallJSNative src/js/src/vm/JSContext-inl.h:290:15
#33 0x7fd0598e0a67 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467
#34 0x7fd0598cb521 in CallFromStack src/js/src/vm/Interpreter.cpp:522:12
#35 0x7fd0598cb521 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084
#36 0x7fd0598b196a in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
#37 0x7fd0598e07e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
#38 0x7fd0598e1a62 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
#39 0x7fd05a40b6ed in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:3003:12
#40 0x7fd0527139cf in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
#41 0x7fd0536ff3e1 in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#42 0x7fd0536ff3e1 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1104
#43 0x7fd053700ca5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1276:20
#44 0x7fd0536eb037 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:527:16
#45 0x7fd0536eedd7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:914:9
#46 0x7fd050af5112 in FocusBlurEvent::Run() src/dom/base/nsFocusManager.cpp:2083:12
#47 0x7fd0506070ef in nsContentUtils::RemoveScriptBlocker() src/dom/base/nsContentUtils.cpp:5660:15
#48 0x7fd0509e39f7 in nsDocument::EndUpdate(unsigned int) src/dom/base/nsDocument.cpp:5089:3
#49 0x7fd053ae59bc in nsHTMLDocument::EndUpdate(unsigned int) src/dom/html/nsHTMLDocument.cpp:2120:15
#50 0x7fd050ab85ec in ~mozAutoDocUpdate src/dom/base/mozAutoDocUpdate.h:40:18
#51 0x7fd050ab85ec in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1989
#52 0x7fd051408d5d in InsertBefore src/obj-firefox/dist/include/nsINode.h:1821:12
#53 0x7fd051408d5d in mozilla::dom::NodeBinding::insertBefore(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/NodeBinding.cpp:892
#54 0x7fd052fca621 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3191:13
#55 0x7fd0598e0a67 in CallJSNative src/js/src/vm/JSContext-inl.h:290:15
#56 0x7fd0598e0a67 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467
#57 0x7fd0598cb521 in CallFromStack src/js/src/vm/Interpreter.cpp:522:12
#58 0x7fd0598cb521 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084
#59 0x7fd0598b196a in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
#60 0x7fd0598e07e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
#61 0x7fd0598e1a62 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
#62 0x7fd05a40b6ed in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:3003:12
#63 0x7fd0527139cf in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
#64 0x7fd0536ff3e1 in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#65 0x7fd0536ff3e1 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1104
#66 0x7fd053700ca5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1276:20
#67 0x7fd0536eb337 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:559:14
#68 0x7fd0536eedd7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:914:9
#69 0x7fd0536f10ec in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp:993:12
#70 0x7fd050ab3ab8 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1084:5
#71 0x7fd0505fb984 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) src/dom/base/nsContentUtils.cpp:4480:28
#72 0x7fd0505fb744 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) src/dom/base/nsContentUtils.cpp:4448:10
#73 0x7fd0509e6508 in nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5219:3
#74 0x7fd050afda64 in applyImpl<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1164:12
#75 0x7fd050afda64 in apply<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1170
#76 0x7fd050afda64 in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1215
#77 0x7fd04d7b8841 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#78 0x7fd04d7d8198 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1096:14
#79 0x7fd04d7f45d0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#80 0x7fd04e6c783a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#81 0x7fd04e617609 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
#82 0x7fd04e617609 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
#83 0x7fd04e617609 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
#84 0x7fd055338eaa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
#85 0x7fd0595fc01b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#86 0x7fd04e617609 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
#87 0x7fd04e617609 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
#88 0x7fd04e617609 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
#89 0x7fd0595fb9e2 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#90 0x4f50dc in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#91 0x4f50dc in main src/browser/app/nsBrowserApp.cpp:280
#92 0x7fd06e0de1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
#93 0x42476c in _start (/home/worker/firefox/firefox+0x42476c)
0x6250020d5c70 is located 2928 bytes inside of 8192-byte region [0x6250020d5100,0x6250020d7100)
allocated by thread T0 (file:// Content) here:
#0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7fd04d7849c3 in AllocateChunk src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:195:15
#2 0x7fd04d7849c3 in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:230
#3 0x7fd04d7849c3 in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
#4 0x7fd04d7849c3 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
#5 0x7fd055af531f in AllocateByFrameID src/layout/base/nsPresArena.h:39:12
#6 0x7fd055af531f in AllocateFrame src/obj-firefox/dist/include/nsIPresShell.h:208
#7 0x7fd055af531f in operator new src/layout/generic/ViewportFrame.cpp:34
#8 0x7fd055af531f in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) src/layout/generic/ViewportFrame.cpp:31
#9 0x7fd05597cc3a in nsCSSFrameConstructor::ConstructRootFrame() src/layout/base/nsCSSFrameConstructor.cpp:2679:5
#10 0x7fd0558d8294 in mozilla::PresShell::Initialize() src/layout/base/PresShell.cpp:1790:36
#11 0x7fd050952762 in nsContentSink::StartLayout(bool) src/dom/base/nsContentSink.cpp:1268:26
#12 0x7fd04f8141e6 in nsHtml5TreeOpExecutor::StartLayout(bool*) src/parser/html/nsHtml5TreeOpExecutor.cpp:674:18
#13 0x7fd04f80f73b in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) src/parser/html/nsHtml5TreeOperation.cpp:1200:17
#14 0x7fd04f80c6e6 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:490:17
#15 0x7fd04f81877b in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:121:18
#16 0x7fd04d7b8841 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#17 0x7fd04d7d8198 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1096:14
#18 0x7fd04d7f45d0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#19 0x7fd04e6c783a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#20 0x7fd04e617609 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
#21 0x7fd04e617609 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
#22 0x7fd04e617609 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
#23 0x7fd055338eaa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
#24 0x7fd0595fc01b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#25 0x7fd04e617609 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
#26 0x7fd04e617609 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
#27 0x7fd04e617609 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
#28 0x7fd0595fb9e2 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#29 0x4f50dc in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#30 0x4f50dc in main src/browser/app/nsBrowserApp.cpp:280
#31 0x7fd06e0de1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
|
Reporter | |
Updated•7 years ago
|
Group: layout-core-security
|
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
|
Assignee | |
Comment 3•7 years ago
|
||
I can't reproduce this :(
Does it need the fuzzPriv extension? Tried to install that, can't get it to work, apparently it's not a restartless extension, and we don't support those anymore?
|
|
Assignee | |
Updated•7 years ago
|
Priority: -- → P1
|
|
Reporter | |
Comment 4•7 years ago
|
||
Hey Matt, truber has updated fuzzPriv[1]. Be sure to use the legacy branch.
[1] https://github.com/MozillaSecurity/fuzzpriv/tree/legacy
|
|
Reporter | |
Comment 5•7 years ago
|
||
I can repro with m-c:
BuildID=20180419223008
SourceStamp=5d73549d363f2a52854ff43fabac9c6fd05b90b0
It took about a minute to trigger the failure.
|
|
Assignee | |
Comment 6•7 years ago
|
||
Still no luck getting the extension installed (zipping that repo as an xpi reports that it's corrupt?).
I got rid of the call to fuzzPriv.CC() that wasn't guarded by a catch{}, and then it reproduced after about a minute.
Assignee: nobody → matt.woodrow
Attachment #8969862 -
Flags: review?(mikokm)
|
||
Comment 7•7 years ago
|
||
Comment on attachment 8969862 [details] [diff] [review]
Track nsDisplaySubDocument::mSubDocFrame, and invalidate the display item if it gets deleted.
Review of attachment 8969862 [details] [diff] [review]:
-----------------------------------------------------------------
LGTM.
Attachment #8969862 -
Flags: review?(mikokm) → review+
|
|
Assignee | |
Comment 8•7 years ago
|
||
Comment on attachment 8969862 [details] [diff] [review]
Track nsDisplaySubDocument::mSubDocFrame, and invalidate the display item if it gets deleted.
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not super easily, the current testcase is complex and takes a while to reproduce.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Not particularly, you'd have to understand the retained-dl code in some detail.
Which older supported branches are affected by this flaw?
None
If not all supported branches, which bug introduced the flaw?
Introduced with retained-dl code in 59, only enabled in 61 though.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Not applicable.
How likely is this patch to cause regressions; how much testing does it need?
Very unlikely to cause regressions.
Attachment #8969862 -
Flags: sec-approval?
|
||
Updated•7 years ago
|
Attachment #8969862 -
Flags: sec-approval? → sec-approval+
|
||
Updated•7 years ago
|
|
||
Comment 10•7 years ago
|
||
Matt, is this ready to land?
status-firefox62:
--- → affected
status-firefox-esr60:
--- → disabled
tracking-firefox61:
--- → +
tracking-firefox62:
--- → +
Flags: needinfo?(matt.woodrow)
|
|
Assignee | |
Comment 11•7 years ago
|
||
Flags: needinfo?(matt.woodrow)
|
|
||
Comment 12•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6ae810d395d1
https://hg.mozilla.org/mozilla-central/rev/f242ab72c59b
Please request Beta approval on this when you're comfortable doing so.
Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(matt.woodrow)
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
|
|
Assignee | |
Comment 13•7 years ago
|
||
Comment on attachment 8969862 [details] [diff] [review]
Track nsDisplaySubDocument::mSubDocFrame, and invalidate the display item if it gets deleted.
Approval Request Comment
[Feature/Bug causing the regression]: Retained-dl
[User impact if declined]: UAF on poisoned frame memory, in some cases with <iframe>.
[Is this code covered by automated tests?]: No.
[Has the fix been verified in Nightly?]: Manually verified with the testcase provided. Doesn't crash reliably enough to make it into an automated test.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: Bug 1460526/
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Uses existing infrastructure for handling this case, just adds it for the new display item type.
[String changes made/needed]: None.
Flags: needinfo?(matt.woodrow)
Attachment #8969862 -
Flags: approval-mozilla-beta?
|
|
||
Comment 14•7 years ago
|
||
Comment on attachment 8969862 [details] [diff] [review]
Track nsDisplaySubDocument::mSubDocFrame, and invalidate the display item if it gets deleted.
Retained display list fix needed for the feature to ship in Fx61. Approved for 61.0b6.
Attachment #8969862 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 15•7 years ago
|
||
| uplift | ||
|
||
Updated•7 years ago
|
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
|
||
Comment 16•7 years ago
|
||
Hello all,
I have managed to reproduce the crash with a build from approx the same date where Comment 0 was created :
https://tools.taskcluster.net/index/gecko.v2.mozilla-beta.pushdate.2018.04.06.20180406212317.firefox/linux64-asan-opt
I have tried to encounter this issue with the following builds:
62.0b1 DevEdition (20180619022742) and 61.0 RC (20180619011111) and the issue is no longer present, thus this issue can be closed as Verified-Fixed.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•