Closed
Bug 1462548
Opened 6 years ago
Closed 6 years ago
heap-use-after-free in [@ mozilla::dom::HTMLLinkElement::UnbindFromTree]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla62
People
(Reporter: tsmith, Assigned: smaug)
References
(Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [post-critsmash-triage])
Attachments
(2 files)
==606==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00011d01c at pc 0x7f1d7a6f98d4 bp 0x7ffedb784b30 sp 0x7ffedb784b28 READ of size 4 at 0x60d00011d01c thread T0 (file:// Content) #0 0x7f1d7a6f98d3 in GetBoolFlag src/obj-firefox/dist/include/nsINode.h:1644:12 #1 0x7f1d7a6f98d3 in IsElement src/obj-firefox/dist/include/nsINode.h:511 #2 0x7f1d7a6f98d3 in GetShadowRoot src/dom/base/nsIContentInlines.h:58 #3 0x7f1d7a6f98d3 in mozilla::dom::HTMLLinkElement::UnbindFromTree(bool, bool) src/dom/html/HTMLLinkElement.cpp:190 #4 0x7f1d776d78db in ContentUnbinder::UnbindSubtree(nsIContent*) src/dom/base/FragmentOrElement.cpp:1353:16 #5 0x7f1d776d7899 in ContentUnbinder::UnbindSubtree(nsIContent*) src/dom/base/FragmentOrElement.cpp:1352:9 #6 0x7f1d776d714a in ContentUnbinder::Run() src/dom/base/FragmentOrElement.cpp:1364:9 #7 0x7f1d7465c976 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14 #8 0x7f1d746788b0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #9 0x7f1d7555902a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #10 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #11 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #12 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #13 0x7f1d7c0c314a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #14 0x7f1d8031687b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #15 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #16 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #17 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #18 0x7f1d80316240 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #19 0x4f50dc in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #20 0x4f50dc in main src/browser/app/nsBrowserApp.cpp:282 #21 0x7f1d93fb882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #22 0x42476c in _start (/home/ubuntu/firefox/firefox+0x42476c) 0x60d00011d01c is located 28 bytes inside of 136-byte region [0x60d00011d000,0x60d00011d088) freed by thread T0 (file:// Content) here: #0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3 #1 0x7f1d744ea3a0 in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2729:25 #2 0x7f1d744f552d in FreeSnowWhite src/xpcom/base/nsCycleCollector.cpp:2917:3 #3 0x7f1d744f552d in nsCycleCollector_doDeferredDeletion() src/xpcom/base/nsCycleCollector.cpp:4293 #4 0x7f1d75f96d39 in AsyncFreeSnowWhite::Run() src/js/xpconnect/src/XPCJSRuntime.cpp:126:34 #5 0x7f1d7467fa6a in IdleRunnableWrapper::Run() src/xpcom/threads/nsThreadUtils.cpp:343:22 #6 0x7f1d7465c976 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14 #7 0x7f1d746788b0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #8 0x7f1d7555902a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #9 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #10 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #11 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #12 0x7f1d7c0c314a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #13 0x7f1d8031687b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #14 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #15 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #16 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #17 0x7f1d80316240 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #18 0x4f50dc in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #19 0x4f50dc in main src/browser/app/nsBrowserApp.cpp:282 #20 0x7f1d93fb882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 previously allocated by thread T0 (file:// Content) here: #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x4f5f7d in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17 #2 0x7f1d7a7ab8d3 in operator new src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12 #3 0x7f1d7a7ab8d3 in NS_NewHTMLSharedElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) src/dom/html/HTMLSharedElement.cpp:23 #4 0x7f1d7a832f49 in CreateHTMLElement(unsigned int, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) src/dom/html/nsHTMLContentSink.cpp:251:41 #5 0x7f1d774a2ed7 in nsContentUtils::NewXULOrHTMLElement(mozilla::dom::Element**, mozilla::dom::NodeInfo*, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) src/dom/base/nsContentUtils.cpp:10006:18 #6 0x7f1d7a832ea8 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) src/dom/html/nsHTMLContentSink.cpp:234:10 #7 0x7f1d779796d2 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) src/dom/base/nsNameSpaceManager.cpp:191:12 #8 0x7f1d77853d6f in nsIDocument::CreateElem(nsTSubstring<char16_t> const&, nsAtom*, int, nsTSubstring<char16_t> const*) src/dom/base/nsDocument.cpp:7875:17 #9 0x7f1d77853790 in nsIDocument::CreateElement(nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) src/dom/base/nsDocument.cpp:5704:26 #10 0x7f1d7952b4b1 in mozilla::dom::DocumentBinding::createElement(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/DocumentBinding.cpp:1258:59 #11 0x7f1d79d371b1 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3260:13 #12 0x7f1d805feb97 in CallJSNative src/js/src/vm/JSContext-inl.h:280:15 #13 0x7f1d805feb97 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467 #14 0x7f1d805e9393 in CallFromStack src/js/src/vm/Interpreter.cpp:522:12 #15 0x7f1d805e9393 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3086 #16 0x7f1d805cfb53 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12 #17 0x7f1d805fe915 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15 #18 0x7f1d805ffb92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10 #19 0x7f1d8114225a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2981:12 #20 0x7f1d794df17e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37 #21 0x7f1d7a4a6d6a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12 #22 0x7f1d7a4a46d4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12 #23 0x7f1d7a46b24d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1124:52 #24 0x7f1d7a46c98b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1291:20 #25 0x7f1d7a456c97 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:528:16 #26 0x7f1d7a45aa93 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:961:9 #27 0x7f1d7a45cfcb in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp #28 0x7f1d7791a128 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1077:5 #29 0x7f1d7746fc93 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) src/dom/base/nsContentUtils.cpp:4469:28 #30 0x7f1d7746fa74 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) src/dom/base/nsContentUtils.cpp:4437:10 #31 0x7f1d7c4a4999 in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) src/layout/style/Loader.cpp:321:3 #32 0x7f1d7c4a4d5c in AfterProcessNextEvent src/layout/style/Loader.cpp:304:3 #33 0x7f1d7c4a4d5c in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) src/layout/style/Loader.cpp
Reporter | ||
Comment 1•6 years ago
|
||
I will upload the testcase when reduction is complete.
Flags: needinfo?(twsmith)
Reporter | ||
Comment 2•6 years ago
|
||
This testcase does require the fuzzpriv extension[1] [1] https://github.com/MozillaSecurity/fuzzpriv/tree/legacy
Flags: needinfo?(twsmith)
Updated•6 years ago
|
Flags: needinfo?(bugs)
Updated•6 years ago
|
Keywords: sec-critical
Assignee | ||
Comment 3•6 years ago
|
||
How do I install that legacy addon? though, looks like I have the addon installed on one of the FF profiles, but it is disabled.
Assignee | ||
Comment 4•6 years ago
|
||
Aha, xpinstall.whitelist.required = false is needed too. But still, even when addon is enabled, the testcase throws line 2: ReferenceError: fuzzPriv is not defined
Assignee | ||
Comment 5•6 years ago
|
||
Tyson, could you explain how to reproduce the issue?
Flags: needinfo?(twsmith)
Assignee | ||
Comment 6•6 years ago
|
||
(but I think I see where the issue is, https://searchfox.org/mozilla-central/rev/8affe6e83188787eb61fe0528eeb6eef6081ba06/dom/base/nsIContent.h#811)
Assignee | ||
Comment 7•6 years ago
|
||
Patch for bug 1463116 might fix this one.
Comment 8•6 years ago
|
||
Looking at the patch this doesn't seem to affect ESR-52 but would apply to ESR-60+. Is that right, Olli?
status-firefox60:
--- → wontfix
status-firefox61:
--- → affected
status-thunderbird_esr60:
--- → affected
Updated•6 years ago
|
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → affected
status-thunderbird_esr60:
affected → ---
tracking-firefox61:
--- → +
tracking-firefox62:
--- → +
tracking-firefox-esr60:
--- → 61+
Keywords: regression
Assignee | ||
Comment 9•6 years ago
|
||
the issue is shadow DOM dependent, and shadow DOM isn't enabled by default anywhere.
Flags: needinfo?(bugs)
Reporter | ||
Comment 10•6 years ago
|
||
Updated•6 years ago
|
Reporter | ||
Comment 11•6 years ago
|
||
This bug was fixed by the patch in bug 1463116. I verified with m-c: BuildID=20180522095022 SourceStamp=f85be0c4f0562ea59a91000883e0e7848491837c
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
Comment 12•6 years ago
|
||
Thanks for checking.
Comment 13•6 years ago
|
||
Can we land the test still?
Group: dom-core-security → core-security-release
tracking-firefox61:
+ → ---
tracking-firefox-esr60:
61+ → ---
Flags: needinfo?(bugs)
Target Milestone: --- → mozilla62
Updated•6 years ago
|
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Comment 14•6 years ago
|
||
Hi Tyson, Unfortunately I didn't managed to reproduce the bug described in comment 0 using an affected Firefox 62.0a1 (BuildId:20180517094542) asan build. I tried reproducing this issue using an fuzzing asan build but as soon as I load the provided testcase (from Comment 2) the following error is displayed: "ReferenceError: fuzzPriv is not defined" - same as in Comment 4. I managed to install the fuzzpriv extension, but as soon as the testcase is loaded, an "document.createElement(...).attachShadow is not a function" error gets thrown. Is there something that I might be missing? Could you help us by confirming that this is fixed on the latest 62 beta asan build as well? Thank You!
Flags: needinfo?(twsmith)
Reporter | ||
Comment 15•6 years ago
|
||
Verified in Firefox 62. (In reply to Tyson Smith [:tsmith] from comment #11) > This bug was fixed by the patch in bug 1463116. I verified with m-c: > BuildID=20180522095022 > SourceStamp=f85be0c4f0562ea59a91000883e0e7848491837c The fuzzPriv extension is not supported on release or beta.
Flags: needinfo?(twsmith)
Comment 16•6 years ago
|
||
Thanks Tyson, Marking this as verified fixed (per comment 15).
Comment 17•5 years ago
|
||
I was able to confirm that the attached testcase reproduces the UAF as a crashtest against an affected revision with SpecialPowers substituted in and Shadow DOM preffed on. Testcase landed on inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c75f2874b74d
Also, I'm opening this bug up since the issue only ever affected Shadow DOM, which wasn't preffed on by default until long after this bug was fixed.
Group: core-security-release
Flags: needinfo?(bugs)
Flags: in-testsuite?
Flags: in-testsuite+
Comment 18•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•