heap-use-after-free in [@ mozilla::dom::HTMLLinkElement::UnbindFromTree]

VERIFIED FIXED in Firefox 62

Status

()

defect
VERIFIED FIXED
11 months ago
a month ago

People

(Reporter: tsmith, Assigned: smaug)

Tracking

(Blocks 1 bug, 5 keywords)

unspecified
mozilla62
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox-esr60 disabled, firefox60 disabled, firefox61 disabled, firefox62+ verified)

Details

(Whiteboard: [post-critsmash-triage])

Attachments

(2 attachments)

(Reporter)

Description

11 months ago
==606==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00011d01c at pc 0x7f1d7a6f98d4 bp 0x7ffedb784b30 sp 0x7ffedb784b28
READ of size 4 at 0x60d00011d01c thread T0 (file:// Content)
    #0 0x7f1d7a6f98d3 in GetBoolFlag src/obj-firefox/dist/include/nsINode.h:1644:12
    #1 0x7f1d7a6f98d3 in IsElement src/obj-firefox/dist/include/nsINode.h:511
    #2 0x7f1d7a6f98d3 in GetShadowRoot src/dom/base/nsIContentInlines.h:58
    #3 0x7f1d7a6f98d3 in mozilla::dom::HTMLLinkElement::UnbindFromTree(bool, bool) src/dom/html/HTMLLinkElement.cpp:190
    #4 0x7f1d776d78db in ContentUnbinder::UnbindSubtree(nsIContent*) src/dom/base/FragmentOrElement.cpp:1353:16
    #5 0x7f1d776d7899 in ContentUnbinder::UnbindSubtree(nsIContent*) src/dom/base/FragmentOrElement.cpp:1352:9
    #6 0x7f1d776d714a in ContentUnbinder::Run() src/dom/base/FragmentOrElement.cpp:1364:9
    #7 0x7f1d7465c976 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
    #8 0x7f1d746788b0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #9 0x7f1d7555902a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #10 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #11 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #12 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #13 0x7f1d7c0c314a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #14 0x7f1d8031687b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #15 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #16 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #17 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #18 0x7f1d80316240 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #19 0x4f50dc in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #20 0x4f50dc in main src/browser/app/nsBrowserApp.cpp:282
    #21 0x7f1d93fb882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #22 0x42476c in _start (/home/ubuntu/firefox/firefox+0x42476c)

0x60d00011d01c is located 28 bytes inside of 136-byte region [0x60d00011d000,0x60d00011d088)
freed by thread T0 (file:// Content) here:
    #0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f1d744ea3a0 in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2729:25
    #2 0x7f1d744f552d in FreeSnowWhite src/xpcom/base/nsCycleCollector.cpp:2917:3
    #3 0x7f1d744f552d in nsCycleCollector_doDeferredDeletion() src/xpcom/base/nsCycleCollector.cpp:4293
    #4 0x7f1d75f96d39 in AsyncFreeSnowWhite::Run() src/js/xpconnect/src/XPCJSRuntime.cpp:126:34
    #5 0x7f1d7467fa6a in IdleRunnableWrapper::Run() src/xpcom/threads/nsThreadUtils.cpp:343:22
    #6 0x7f1d7465c976 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
    #7 0x7f1d746788b0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #8 0x7f1d7555902a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #9 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #10 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #11 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #12 0x7f1d7c0c314a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #13 0x7f1d8031687b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #14 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #15 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #16 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #17 0x7f1d80316240 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #18 0x4f50dc in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #19 0x4f50dc in main src/browser/app/nsBrowserApp.cpp:282
    #20 0x7f1d93fb882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f5f7d in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7f1d7a7ab8d3 in operator new src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12
    #3 0x7f1d7a7ab8d3 in NS_NewHTMLSharedElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) src/dom/html/HTMLSharedElement.cpp:23
    #4 0x7f1d7a832f49 in CreateHTMLElement(unsigned int, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) src/dom/html/nsHTMLContentSink.cpp:251:41
    #5 0x7f1d774a2ed7 in nsContentUtils::NewXULOrHTMLElement(mozilla::dom::Element**, mozilla::dom::NodeInfo*, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) src/dom/base/nsContentUtils.cpp:10006:18
    #6 0x7f1d7a832ea8 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) src/dom/html/nsHTMLContentSink.cpp:234:10
    #7 0x7f1d779796d2 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) src/dom/base/nsNameSpaceManager.cpp:191:12
    #8 0x7f1d77853d6f in nsIDocument::CreateElem(nsTSubstring<char16_t> const&, nsAtom*, int, nsTSubstring<char16_t> const*) src/dom/base/nsDocument.cpp:7875:17
    #9 0x7f1d77853790 in nsIDocument::CreateElement(nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) src/dom/base/nsDocument.cpp:5704:26
    #10 0x7f1d7952b4b1 in mozilla::dom::DocumentBinding::createElement(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/DocumentBinding.cpp:1258:59
    #11 0x7f1d79d371b1 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3260:13
    #12 0x7f1d805feb97 in CallJSNative src/js/src/vm/JSContext-inl.h:280:15
    #13 0x7f1d805feb97 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467
    #14 0x7f1d805e9393 in CallFromStack src/js/src/vm/Interpreter.cpp:522:12
    #15 0x7f1d805e9393 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3086
    #16 0x7f1d805cfb53 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
    #17 0x7f1d805fe915 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
    #18 0x7f1d805ffb92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
    #19 0x7f1d8114225a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2981:12
    #20 0x7f1d794df17e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #21 0x7f1d7a4a6d6a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #22 0x7f1d7a4a46d4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
    #23 0x7f1d7a46b24d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1124:52
    #24 0x7f1d7a46c98b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1291:20
    #25 0x7f1d7a456c97 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:528:16
    #26 0x7f1d7a45aa93 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:961:9
    #27 0x7f1d7a45cfcb in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
    #28 0x7f1d7791a128 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1077:5
    #29 0x7f1d7746fc93 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) src/dom/base/nsContentUtils.cpp:4469:28
    #30 0x7f1d7746fa74 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) src/dom/base/nsContentUtils.cpp:4437:10
    #31 0x7f1d7c4a4999 in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) src/layout/style/Loader.cpp:321:3
    #32 0x7f1d7c4a4d5c in AfterProcessNextEvent src/layout/style/Loader.cpp:304:3
    #33 0x7f1d7c4a4d5c in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) src/layout/style/Loader.cpp
(Reporter)

Comment 1

11 months ago
I will upload the testcase when reduction is complete.
Flags: needinfo?(twsmith)
(Assignee)

Updated

11 months ago
Blocks: 1461704
(Reporter)

Comment 2

11 months ago
Posted file testcase.html
This testcase does require the fuzzpriv extension[1]

[1] https://github.com/MozillaSecurity/fuzzpriv/tree/legacy
Flags: needinfo?(twsmith)
(Reporter)

Updated

11 months ago
Flags: in-testsuite?
Keywords: testcase
Flags: needinfo?(bugs)
Keywords: sec-critical
(Assignee)

Comment 3

11 months ago
How do I install that legacy addon?

though, looks like I have the addon installed on one of the FF profiles, but it is disabled.
(Assignee)

Comment 4

11 months ago
Aha, xpinstall.whitelist.required = false is needed too.

But still, even when addon is enabled, the testcase throws 
line 2: ReferenceError: fuzzPriv is not defined
(Assignee)

Comment 5

11 months ago
Tyson, could you explain how to reproduce the issue?
Flags: needinfo?(twsmith)
(Assignee)

Comment 7

11 months ago
Patch for bug 1463116 might fix this one.
Assignee: nobody → bugs
Depends on: 1463116
Looking at the patch this doesn't seem to affect ESR-52 but would apply to ESR-60+. Is that right, Olli?
(Assignee)

Comment 9

11 months ago
the issue is shadow DOM dependent, and shadow DOM isn't enabled by default anywhere.
Flags: needinfo?(bugs)
(Reporter)

Comment 10

11 months ago
Posted file prefs.js
(Reporter)

Comment 11

11 months ago
This bug was fixed by the patch in bug 1463116. I verified with m-c:
BuildID=20180522095022
SourceStamp=f85be0c4f0562ea59a91000883e0e7848491837c
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
Thanks for checking.
Can we land the test still?
Group: dom-core-security → core-security-release
Flags: needinfo?(bugs)
Target Milestone: --- → mozilla62

Updated

10 months ago
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Hi Tyson,

Unfortunately I didn't managed to reproduce the bug described in comment 0 using an affected Firefox 62.0a1 (BuildId:20180517094542) asan build.

I tried reproducing this issue using an fuzzing asan build but as soon as I load the provided testcase (from Comment 2) the following error is displayed: "ReferenceError: fuzzPriv is not defined" - same as in Comment 4.

I managed to install the fuzzpriv extension, but as soon as the testcase is loaded, an "document.createElement(...).attachShadow is not a function" error gets thrown.

Is there something that I might be missing? Could you help us by confirming that this is fixed on the latest 62 beta asan build as well?

Thank You!
Flags: needinfo?(twsmith)
(Reporter)

Comment 15

9 months ago
Verified in Firefox 62.

(In reply to Tyson Smith [:tsmith] from comment #11)
> This bug was fixed by the patch in bug 1463116. I verified with m-c:
> BuildID=20180522095022
> SourceStamp=f85be0c4f0562ea59a91000883e0e7848491837c

The fuzzPriv extension is not supported on release or beta.
Flags: needinfo?(twsmith)
Thanks Tyson,

Marking this as verified fixed (per comment 15).
Status: RESOLVED → VERIFIED
Flags: qe-verify+

I was able to confirm that the attached testcase reproduces the UAF as a crashtest against an affected revision with SpecialPowers substituted in and Shadow DOM preffed on. Testcase landed on inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c75f2874b74d

Also, I'm opening this bug up since the issue only ever affected Shadow DOM, which wasn't preffed on by default until long after this bug was fixed.

Group: core-security-release
Flags: needinfo?(bugs)
Flags: in-testsuite?
Flags: in-testsuite+
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.