Closed Bug 1459693 (CVE-2018-12360) Opened 7 years ago Closed 6 years ago

heap-use-after-free in nsFocusManager::CheckIfFocusable

Categories

(Core :: DOM: Core & HTML, defect, P1)

61 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox-esr52 61+ fixed
firefox-esr60 61+ fixed
firefox60 --- wontfix
firefox61 + verified
firefox62 + verified

People

(Reporter: nils, Assigned: smaug, NeedInfo)

Details

(Keywords: csectype-uaf, reporter-external, sec-critical, Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage])

Attachments

(3 files)

The following testcase crashes a fuzzing build (--enable-fuzzing) of Firefox 61.0a1 (SourceStamp=b1628ac71fcc15797baec6083650bfcde650f190). It requires the fuzzing.enabled pref to be set to true. <script> function start() { document.removeChild(document.documentElement); o0=document.createElement('HTML'); o1144=document.createElement('LI'); o1340=document.createElement('A'); o1144.appendChild(o1340); o0.appendChild(o1144); document.appendChild(o0); window.top.setTimeout(fun0, 400); } function fun0() { o1662=document.createElement('input'); o1662.type='number'; o1340.appendChild(o1662); o1711=document.createElement('textarea'); o0.appendChild(o1711); o1711.select(); o1718=document.createElement('marquee'); o0.addEventListener('DOMAttrModified',fun1); o0.appendChild(o1718); o1662.focus(); } function fun1() { o0.remove(); FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect();FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect(); } </script> <body onload="start()"></body> ASAN output: ================================================================= ==10502==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500021439c at pc 0x7f6e33e45849 bp 0x7ffe54addfb0 sp 0x7ffe54addfa8 READ of size 4 at 0x61500021439c thread T0 (file:// Content) #0 0x7f6e33e45848 in GetBoolFlag /builds/worker/workspace/build/src/dom/base/nsINode.h:1644:12 #1 0x7f6e33e45848 in IsInUncomposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:654 #2 0x7f6e33e45848 in GetPrimaryFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIContent.h:699 #3 0x7f6e33e45848 in GetPrimaryFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1438 #4 0x7f6e33e45848 in nsFocusManager::CheckIfFocusable(mozilla::dom::Element*, unsigned int) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1624 #5 0x7f6e33e40fed in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1226:36 #6 0x7f6e33e445ca in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:518:3 #7 0x7f6e33bd0752 in mozilla::dom::Element::Focus(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Element.cpp:348:20 #8 0x7f6e36bdf023 in mozilla::dom::HTMLInputElement::Focus(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:3198:27 #9 0x7f6e36bdeb7f in mozilla::dom::HTMLInputElement::Focus(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:3182:22 #10 0x7f6e35d7fad2 in mozilla::dom::HTMLElementBinding::focus(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:540:9 #11 0x7f6e36240b21 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3260:13 #12 0x7f6e3cb05ff7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15 #13 0x7f6e3cb05ff7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #14 0x7f6e3caf06bf in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #15 0x7f6e3caf06bf in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3086 #16 0x7f6e3cad6d63 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #17 0x7f6e3cb05d75 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #18 0x7f6e3cb06ff2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10 #19 0x7f6e3d637c2a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2989:12 #20 0x7f6e35b86e9d in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:40:8 #21 0x7f6e33ac3bdb in Call<nsCOMPtr<nsISupports> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:73:12 #22 0x7f6e33ac3bdb in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:6658 #23 0x7f6e33ce1456 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/dom/base/TimeoutManager.cpp:877:42 #24 0x7f6e33ce0734 in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:172:11 #25 0x7f6e33ce2936 in Notify /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:240:5 #26 0x7f6e33ce2936 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp #27 0x7f6e30babd9b in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:704:40 #28 0x7f6e30b7b429 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:290:11 #29 0x7f6e30b97c87 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:188:22 #30 0x7f6e30b978bf in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:72:15 #31 0x7f6e30b6c641 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32 #32 0x7f6e30b8b439 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14 #33 0x7f6e30ba6e70 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10 #34 0x7f6e31a859e6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5 #35 0x7f6e319d94f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #36 0x7f6e319d94f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #37 0x7f6e319d94f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #38 0x7f6e385a8e4a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #39 0x7f6e3c81cf9b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #40 0x7f6e319d94f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #41 0x7f6e319d94f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #42 0x7f6e319d94f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #43 0x7f6e3c81c960 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #44 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #45 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #46 0x7f6e507d882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #47 0x42476c in _start (/fuzzer3/firefox/firefox+0x42476c) 0x61500021439c is located 28 bytes inside of 472-byte region [0x615000214380,0x615000214558) freed by thread T0 (file:// Content) here: #0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3 #1 0x7f6e30a18f30 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25 #2 0x7f6e30a2114f in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3 #3 0x7f6e30a2114f in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3925 #4 0x7f6e30a2065d in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3746:9 #5 0x7f6e30a244f2 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4315:21 #6 0x7f6e33ec20de in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1488:3 #7 0x7f6e35c574ca in mozilla::dom::FuzzingFunctionsBinding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:54:3 #8 0x7f6e3cb05ff7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15 #9 0x7f6e3cb05ff7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #10 0x7f6e3caf06bf in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #11 0x7f6e3caf06bf in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3086 #12 0x7f6e3cad6d63 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #13 0x7f6e3cb05d75 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #14 0x7f6e3cb06ff2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10 #15 0x7f6e3d637c2a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2989:12 #16 0x7f6e359cca75 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8 #17 0x7f6e36972c7e in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12 #18 0x7f6e36972c7e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1118 #19 0x7f6e369743db in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1288:20 #20 0x7f6e3695ea87 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:560:14 #21 0x7f6e36962583 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:961:9 #22 0x7f6e36964abb in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp #23 0x7f6e33ea7bf8 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1079:5 #24 0x7f6e36982ea3 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:204:13 #25 0x7f6e368f8e8c in mozilla::AsyncEventDispatcher::Run() /builds/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:68:12 #26 0x7f6e339f904f in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5635:15 #27 0x7f6e33dd7027 in nsDocument::EndUpdate(unsigned int) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5105:3 #28 0x7f6e36d5849c in nsHTMLDocument::EndUpdate(unsigned int) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2120:15 #29 0x7f6e38a79e1a in ~mozAutoDocConditionalContentUpdateBatch /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:83:18 #30 0x7f6e38a79e1a in ModifyDeclaration<(lambda at /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:297:5)> /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:287 #31 0x7f6e38a79e1a in nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsTSubstring<char16_t> const&, bool, nsIPrincipal*) /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:295 #32 0x7f6e34373c9a in SetMargin /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ServoCSSPropList.h:456:1 #33 0x7f6e34373c9a in mozilla::dom::CSS2PropertiesBinding::set_margin(JSContext*, JS::Handle<JSObject*>, nsDOMCSSDeclaration*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSS2PropertiesBinding.cpp:31017 #34 0x7f6e3623e223 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3204:8 #35 0x7f6e3cb05ff7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15 #36 0x7f6e3cb05ff7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #37 0x7f6e3cb08c26 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:516:12 #38 0x7f6e3cb08c26 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535 #39 0x7f6e3cb08c26 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:664 previously allocated by thread T0 (file:// Content) here: #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x4f5f7d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17 #2 0x7f6e36bb06b9 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12 #3 0x7f6e36bb06b9 in NS_NewHTMLInputElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:120 #4 0x7f6e36d38569 in CreateHTMLElement(unsigned int, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:252:41 #5 0x7f6e33a21937 in nsContentUtils::NewXULOrHTMLElement(mozilla::dom::Element**, mozilla::dom::NodeInfo*, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:10017:18 #6 0x7f6e36d384c8 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) /builds/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:235:10 #7 0x7f6e33e211a0 in nsIDocument::CreateHTMLElement(nsAtom*) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:12378:28 #8 0x7f6e390c5dbe in nsNumberControlFrame::MakeAnonymousElement(mozilla::dom::Element**, nsTArray<nsIAnonymousContentCreator::ContentInfo>&, nsAtom*, mozilla::CSSPseudoElementType) /builds/worker/workspace/build/src/layout/forms/nsNumberControlFrame.cpp:331:40 #9 0x7f6e390c63eb in nsNumberControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /builds/worker/workspace/build/src/layout/forms/nsNumberControlFrame.cpp:378:8 #10 0x7f6e38bff0ae in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4172:26 #11 0x7f6e38bf27fe in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10265:3 #12 0x7f6e38c086e1 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4041:9 #13 0x7f6e38c11390 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6073:3 #14 0x7f6e38bf1ee5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10144:5 #15 0x7f6e38c1e370 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7267:3 #16 0x7f6e38bad73f in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1401:27 #17 0x7f6e38bbaa95 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3000:9 #18 0x7f6e38b72723 in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3077:3 #19 0x7f6e38b72723 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4316 #20 0x7f6e33df3d68 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:592:5 #21 0x7f6e33df3d68 in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7589 #22 0x7f6e33e449d9 in FlushPendingNotifications /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7528:3 #23 0x7f6e33e449d9 in nsFocusManager::CheckIfFocusable(mozilla::dom::Element*, unsigned int) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1605 #24 0x7f6e33e40fed in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1226:36 #25 0x7f6e33e445ca in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:518:3 #26 0x7f6e36cd7df4 in mozilla::dom::HTMLTextAreaElement::Select() /builds/worker/workspace/build/src/dom/html/HTMLTextAreaElement.cpp:156:11 #27 0x7f6e360533b7 in mozilla::dom::HTMLTextAreaElementBinding::select(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLTextAreaElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLTextAreaElementBinding.cpp:1390:9 #28 0x7f6e36240b21 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3260:13 #29 0x7f6e3cb05ff7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15 #30 0x7f6e3cb05ff7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #31 0x7f6e3caf06bf in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #32 0x7f6e3caf06bf in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3086 #33 0x7f6e3cad6d63 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #34 0x7f6e3cb05d75 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #35 0x7f6e3cb06ff2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10 SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/base/nsINode.h:1644:12 in GetBoolFlag Shadow bytes around the buggy address: 0x0c2a8003a820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a8003a830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a8003a840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a8003a850: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c2a8003a860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2a8003a870: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a8003a880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a8003a890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a8003a8a0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c2a8003a8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a8003a8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==10502==ABORTING
Attached file ASAN output
Any ideas, Olli? It looks like you touched nsFocusManager.cpp most recently.
Group: core-security → dom-core-security
Flags: needinfo?(bugs)
Priority: -- → P1
Flags: needinfo?(emilio)
Stack trace is pretty obvious.
Assignee: nobody → bugs
Flags: needinfo?(bugs)
Attached patch focus_crash.diffSplinter Review
this is what the stack trace hinted was going wrong, and verified using asan + fuzz build that this seems to actually fix the bug.
Attachment #8973850 - Flags: review?(continuation)
Comment on attachment 8973850 [details] [diff] [review] focus_crash.diff Review of attachment 8973850 [details] [diff] [review]: ----------------------------------------------------------------- Gah, I wish we had some static analysis for this. Thanks for fixing!
Attachment #8973850 - Flags: review?(continuation) → review+
Comment on attachment 8973850 [details] [diff] [review] focus_crash.diff [Security approval request comment] How easily could an exploit be constructed based on the patch? The patch does pinpoint what kind of issue is being fixed. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? The commit message could be -m "Bug 1459693, ensure the right anonymous element is focused when calling input.focus(), r=mccr8" Which older supported branches are affected by this flaw? all Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The code seems to be untouched since 2011, so the same patch should apply on supported branches How likely is this patch to cause regressions; how much testing does it need? Very unlikely to cause regressions. Just keeping an object alive a bit longer.
Attachment #8973850 - Flags: sec-approval?
Attachment #8973850 - Flags: approval-mozilla-esr60?
Attachment #8973850 - Flags: approval-mozilla-esr52?
Attachment #8973850 - Flags: approval-mozilla-beta?
Flags: needinfo?(emilio)
(In reply to Andrew McCreight [:mccr8] from comment #5) > Comment on attachment 8973850 [details] [diff] [review] > focus_crash.diff > > Review of attachment 8973850 [details] [diff] [review]: > ----------------------------------------------------------------- > > Gah, I wish we had some static analysis for this. Thanks for fixing! We have MOZ_CAN_RUN_SCRIPT fwiw, stuff just needs annotating.
Comment on attachment 8973850 [details] [diff] [review] focus_crash.diff Under the assumption that this is going to have a delayed landing, I'm clearing the uplift requests for now so they're not inactionably on the request radar for the next few weeks.
Attachment #8973850 - Flags: approval-mozilla-esr60?
Attachment #8973850 - Flags: approval-mozilla-esr52?
Attachment #8973850 - Flags: approval-mozilla-beta?
sec-approval+ to land in three weeks, on May 30, to reduce the window of exposure. Once it is on trunk then, we'll want branch patches for Beta and both ESR branches made and nominated.
Whiteboard: [checkin on 5/30]
Attachment #8973850 - Flags: sec-approval? → sec-approval+
Comment on attachment 8973850 [details] [diff] [review] focus_crash.diff [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: this is sec-crit User impact if declined: security sensitive crash Fix Landed on Version: 62 Risk to taking this patch (and alternatives if risky): should be very safe String or UUID changes made by this patch: NA [Feature/Bug causing the regression]: old stuff [Is this code covered by automated tests?]: nope [Has the fix been verified in Nightly?]: not yet [Is the change risky?]: nope [Why is the change risky/not risky?]: just using RefPtr and not raw pointer.
Attachment #8973850 - Flags: approval-mozilla-esr60?
Attachment #8973850 - Flags: approval-mozilla-esr52?
Attachment #8973850 - Flags: approval-mozilla-beta?
Comment on attachment 8973850 [details] [diff] [review] focus_crash.diff CI results on inbound all look good. Approved for 61.0b10, ESR 60.1, and ESR 52.9.
Attachment #8973850 - Flags: approval-mozilla-esr60?
Attachment #8973850 - Flags: approval-mozilla-esr60+
Attachment #8973850 - Flags: approval-mozilla-esr52?
Attachment #8973850 - Flags: approval-mozilla-esr52+
Attachment #8973850 - Flags: approval-mozilla-beta?
Attachment #8973850 - Flags: approval-mozilla-beta+
Group: dom-core-security → core-security-release
Whiteboard: [checkin on 5/30]
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+]
Flags: qe-verify+
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+] → [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage]
Alias: CVE-2018-12360
I managed to reproduce the crash with the testcase from comment 0 on Linux 16.04 using ASAN fuzzy build downloaded from: https://tools.taskcluster.net/index/gecko.v2.mozilla-central.pushdate.2018.05.07.20180507085353.firefox/linux64-fuzzing-asan-opt I verified as fixed on Linux with the latest asan fuzzy build downloaded from: https://tools.taskcluster.net/index/gecko.v2.mozilla-central.latest.firefox/linux64-fuzzing-asan-opt Also verified as fixed on Linux 16.04, Windows 10x64 and Mac OS X 10.13 on latest Nightly 62.0a1, Build ID 20180621013659 and Beta Candidate 62.0b1, Build ID 20180619022742. For ESR 52.9.0, Build ID 20180619102821 and ESR 60.1.0 Build ID 20180619173714, the testcases attached is nor working: the two input boxes are not displayed, and the crash is not reproducible. Please note that I tried with Esr builds generated from http://archive.mozilla.org/pub/firefox/candidates/ and also with ASAN fuzzy builds downloded from https://tools.taskcluster.net/index/gecko.v2.mozilla-esr60.latest.firefox/linux64-fuzzing-asan-opt. Olli, am I missing something for the esr builds? Should this testcase work on esr builds?
I guess FuzzingFunctions isn't in esr?
Flags: needinfo?(bugs)
For ESR 60, I used an ASAN fuzzy build downloaded from https://tools.taskcluster.net/index/gecko.v2.mozilla-esr60.latest.firefox/linux64-fuzzing-asan-opt . The testcase from comment 0 is not working (the two input boxes are not displayed) and I am getting the following error in console: JavaScript error: chrome://xbl-marquee/content/xbl-marquee.xml, line 541: TypeError: this.outerDiv is undefined 1529587265928 addons.update-checker WARN onUpdateCheckComplete failed to parse update manifest: [Exception... "Update manifest is missing a required addons property." nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: resource://gre/modules/addons/AddonUpdateChecker.jsm :: getRequiredProperty :: line 461" data: no] Stack trace: getRequiredProperty()@resource://gre/modules/addons/AddonUpdateChecker.jsm:461. Also, I did not reproduce the crash. The same behavior can be observed on official ESR 60.1.0 build ID 20180621121604. As for ESR 52, I did not find an ASAN build with fuzzy functions, so I used an asan build and used the DOMFuzz Helper for fuzzy functions. The result is the same as for the ESR 60: the testcase is not working and the crash is not reproducible. The same on latest ESR 52.9.0 build ID 20180621064021. I'm not sure what the verification criteria is for ESR builds: 1. Testcase does not crash on esr builds 2. Testcase doesn't seem to work on esr builds(the two input boxes are not displayed) Summing up, I'm not sure how to continue verification on this.
Flags: needinfo?(nils)
Flags: needinfo?(bugs)
I don't know how to explicitly verify this on those branches. The patch itself is rather obvious, so if this is verified on non-ESR, that should be, IMO, enough.
Flags: needinfo?(bugs)
Based on the previous comment, this can be considered verified. Remove the qe-verify+ flag.
Flags: qe-verify+
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Component: DOM → DOM: Core & HTML
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: