Closed Bug 1463524 Opened 7 years ago Closed 7 years ago

AddressSanitizer: heap-use-after-free memcpy checkout/src/libcore/slice/mod.rs:677

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Version:
61 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox62 --- affected

People

(Reporter: rs, Unassigned)

Details

(Keywords: crash, csectype-uaf, testcase-wanted)

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3418.2 Safari/537.36 Firefox for Android Steps to reproduce: No repro so far, yesterday's Mozilla Nightly build. Actual results: ==27052==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000327f00 at pc 0x00000043ef69 bp 0x7ffe2f816be0 sp 0x7ffe2f816380 READ of size 8648768 at 0x621000327f00 thread T0 (file:// Content) #0 0x43ef68 in memcpy /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:5 #1 0x7face861407a in _$LT$$u5b$T$u5d$$u20$as$u20$core..slice..SliceExt$GT$::copy_from_slice::h698a53e8c1ea4269 /checkout/src/libcore/slice/mod.rs:677 #2 0x7face861407a in alloc::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::copy_from_slice::h108f0139db1d2091 /checkout/src/liballoc/slice.rs:1528 #3 0x7face861407a in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$$RF$$u27$a$u20$T$C$$u20$core..slice..Iter$LT$$u27$a$C$$u20$T$GT$$GT$$GT$::spec_extend::h28e5b478c3e8ec5a /checkout/src/liballoc/vec.rs:1907 #4 0x7face861407a in _$LT$alloc..vec..Vec$LT$T$GT$$GT$::extend_from_slice::haff8dfacab5e8487 /checkout/src/liballoc/vec.rs:1276 #5 0x7face861407a in alloc::slice::hack::to_vec::h43ec5b145b793bf5 /checkout/src/liballoc/slice.rs:166 #6 0x7face861407a in alloc::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::to_vec::heab816c20eeeea16 /checkout/src/liballoc/slice.rs:1604 #7 0x7face861407a in style::gecko_string_cache::WeakAtom::to_ascii_lowercase::hd4cffeaf154bc84e /builds/worker/workspace/build/src/servo/components/style/gecko_string_cache/mod.rs:214 #8 0x7face86a425e in _$LT$style..selector_map..MaybeCaseInsensitiveHashMap$LT$style..gecko_string_cache..Atom$C$$u20$V$GT$$GT$::try_entry::h9bc0098e831485ab /builds/worker/workspace/build/src/servo/components/style/selector_map.rs:523 #9 0x7face86a12af in style::invalidation::element::invalidation_map::InvalidationMap::note_selector::h7dd85b7d7345a428 /builds/worker/workspace/build/src/servo/components/style/invalidation/element/invalidation_map.rs:280 #10 0x7face856103a in style::stylist::CascadeData::add_stylesheet::h66f8197bb1921586 /builds/worker/workspace/build/src/servo/components/style/stylist.rs:2237 #11 0x7face856b360 in style::stylist::CascadeData::rebuild::hfc9c94e2216488fb /builds/worker/workspace/build/src/servo/components/style/stylist.rs:2082 #12 0x7face856b360 in style::stylist::DocumentCascadeData::rebuild::hf2394d3acef1c0b5 /builds/worker/workspace/build/src/servo/components/style/stylist.rs:262 #13 0x7face856b360 in style::stylist::Stylist::flush::h4de38726830b0668 /builds/worker/workspace/build/src/servo/components/style/stylist.rs:524 #14 0x7face856b360 in style::gecko::data::PerDocumentStyleDataImpl::flush_stylesheets::hc3283a42c45fc5a1 /builds/worker/workspace/build/src/servo/components/style/gecko/data.rs:173 #15 0x7face856b360 in Servo_StyleSet_FlushStyleSheets /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:1484 #16 0x7face28104db in mozilla::ServoStyleSet::UpdateStylist() /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1462:5 #17 0x7face2809601 in UpdateStylistIfNeeded /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ServoStyleSet.h:289:7 #18 0x7face2809601 in mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle(nsAtom*, mozilla::ComputedStyle*) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:606 #19 0x7face29fc67d in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2702:15 #20 0x7face29572d4 in mozilla::PresShell::Initialize() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1791:36 #21 0x7facddac1c12 in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1273:26 #22 0x7facdc979c42 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:673:18 #23 0x7facdc9751ab in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1199:17 #24 0x7facdc972136 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:489:17 #25 0x7facdc9714ec in BackgroundFlushCallback(mozilla::TimeStamp) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:284:9 #26 0x7facda91bbcd in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14 #27 0x7facda91bbcd in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:62 #28 0x7facda960a16 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14 #29 0x7facda97c950 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10 #30 0x7facdb85cbba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #31 0x7facdb7b0259 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #32 0x7facdb7b0259 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #33 0x7facdb7b0259 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #34 0x7face23c749a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #35 0x7face661b1bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #36 0x7facdb7b0259 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #37 0x7facdb7b0259 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #38 0x7facdb7b0259 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #39 0x7face661ab80 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #40 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #41 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282 #42 0x7facf9c95b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #43 0x42476c in _start (/home/fuzzer/browsers/firefox/firefox+0x42476c) 0x621000328900 is located 0 bytes to the right of 4096-byte region [0x621000327900,0x621000328900) freed by thread T0 (file:// Content) here: #0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3 #1 0x7face1c945fb in js_free /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:419:5 #2 0x7face1c945fb in free_ /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:43 #3 0x7face1c945fb in Clear /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BufferList.h:153 #4 0x7face1c945fb in ~BufferList /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BufferList.h:124 #5 0x7face1c945fb in ~JSStructuredCloneData /builds/worker/workspace/build/src/obj-firefox/dist/include/js/StructuredClone.h:419 #6 0x7face1c945fb in ~SharedJSAllocatedData /builds/worker/workspace/build/src/dom/ipc/StructuredCloneData.h:80 #7 0x7face1c945fb in Release /builds/worker/workspace/build/src/dom/ipc/StructuredCloneData.h:74 #8 0x7face1c945fb in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:41 #9 0x7face1c945fb in RefPtr<mozilla::dom::ipc::SharedJSAllocatedData>::ConstRemovingRefPtrTraits<mozilla::dom::ipc::SharedJSAllocatedData>::Release(mozilla::dom::ipc::SharedJSAllocatedData*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:398 #10 0x7face1c52603 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:79:7 #11 0x7face1c52603 in mozilla::dom::ipc::StructuredCloneData::~StructuredCloneData() /builds/worker/workspace/build/src/dom/ipc/StructuredCloneData.cpp:46 #12 0x7facdd7eed44 in nsFrameMessageManager::DispatchAsyncMessage(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, JS::Handle<JSObject*>, nsIPrincipal*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:674:1 #13 0x7facde3d8cad in SendAsyncMessage /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.h:201:5 #14 0x7facde3d8cad in SendAsyncMessage /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/MessageManagerGlobal.h:78 #15 0x7facde3d8cad in mozilla::dom::ContentFrameMessageManagerBinding::sendAsyncMessage(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ContentFrameMessageManager*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MessageManagerBinding.cpp:2849 #16 0x7face003ca83 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3260:13 #17 0x274ff13b837f (<unknown module>) #18 0x621001e6f6df (<unknown module>) #19 0x274ff13b7f40 (<unknown module>) #20 0x621001b5b137 (<unknown module>) #21 0x274ff13654e1 (<unknown module>) #22 0x7face6e808b6 in EnterJit /builds/worker/workspace/build/src/js/src/jit/Jit.cpp:99:9 #23 0x7face6e808b6 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/jit/Jit.cpp:163 #24 0x7face68d4174 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:402:34 #25 0x7face6903255 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #26 0x7face69044d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10 #27 0x7face7443b80 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2922:12 #28 0x7facdc2b3a6a in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1123:23 #29 0x7facda98fc10 in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:119:28 #30 0x7facda98eb8a in SharedStub (/home/fuzzer/browsers/firefox/libxul.so+0x20aab8a) #31 0x7facdc7975dc in nsDocLoader::OnSecurityChange(nsISupports*, unsigned int) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1477:3 #32 0x7face609d245 in TellTheWorld /builds/worker/workspace/build/src/security/manager/ssl/nsSecureBrowserUIImpl.cpp:1042:25 #33 0x7face609d245 in nsSecureBrowserUIImpl::UpdateSecurityState(nsIRequest*, bool, bool) /builds/worker/workspace/build/src/security/manager/ssl/nsSecureBrowserUIImpl.cpp:1027 #34 0x7face609c188 in nsSecureBrowserUIImpl::EvaluateAndUpdateSecurityState(nsIRequest*, nsISupports*, bool, bool) /builds/worker/workspace/build/src/security/manager/ssl/nsSecureBrowserUIImpl.cpp:409:3 #35 0x7face60a05a7 in nsSecureBrowserUIImpl::OnLocationChange(nsIWebProgress*, nsIRequest*, nsIURI*, unsigned int) /builds/worker/workspace/build/src/security/manager/ssl/nsSecureBrowserUIImpl.cpp:1112:5 #36 0x7facdc7961e2 in nsDocLoader::FireOnLocationChange(nsIWebProgress*, nsIRequest*, nsIURI*, unsigned int) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1326:3 #37 0x7face5b3dec6 in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8815:5 #38 0x7face5b3b0a0 in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:196:21 #39 0x7facdc79dbef in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:767:28 #40 0x7facdc79b239 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:435:30 #41 0x7facdc799bbc in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:313:8 #42 0x7facdb3ece62 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:748:28 previously allocated by thread T0 (file:// Content) here: #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x7facdb8c97ce in js_malloc /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:388:12 #2 0x7facdb8c97ce in js_pod_malloc<char> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:578 #3 0x7facdb8c97ce in maybe_pod_malloc<char> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:33 #4 0x7facdb8c97ce in pod_malloc<char> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:38 #5 0x7facdb8c97ce in mozilla::BufferList<js::SystemAllocPolicy>::AllocateSegment(unsigned long, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BufferList.h:391 #6 0x7facdb8ca888 in AllocateBytes /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BufferList.h:454:16 #7 0x7facdb8ca888 in WriteBytes /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BufferList.h:419 #8 0x7facdb8ca888 in JSStructuredCloneData::AppendBytes(char const*, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/js/StructuredClone.h:446 #9 0x7face69535a7 in write /builds/worker/workspace/build/src/js/src/vm/StructuredClone.cpp:909:14 #10 0x7face69535a7 in writePair /builds/worker/workspace/build/src/js/src/vm/StructuredClone.cpp:926 #11 0x7face69535a7 in writeHeader /builds/worker/workspace/build/src/js/src/vm/StructuredClone.cpp:1608 #12 0x7face69535a7 in JSStructuredCloneWriter::init() /builds/worker/workspace/build/src/js/src/vm/StructuredClone.cpp:483 #13 0x7face6952c98 in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*, JS::Value const&) /builds/worker/workspace/build/src/js/src/vm/StructuredClone.cpp:618:12 #14 0x7face6971122 in JS_WriteStructuredClone /builds/worker/workspace/build/src/js/src/vm/StructuredClone.cpp:2760:12 #15 0x7face6971122 in JSAutoStructuredCloneBuffer::write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*) /builds/worker/workspace/build/src/js/src/vm/StructuredClone.cpp:2893 #16 0x7facdda35493 in mozilla::dom::StructuredCloneHolderBase::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy) /builds/worker/workspace/build/src/dom/base/StructuredCloneHolder.cpp:201:17 #17 0x7facdda3571d in mozilla::dom::StructuredCloneHolder::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/StructuredCloneHolder.cpp:301:35 #18 0x7face1c53935 in mozilla::dom::ipc::StructuredCloneData::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/ipc/StructuredCloneData.cpp:121:26 #19 0x7facdd7ecd26 in GetParamsForMessage(JSContext*, JS::Value const&, JS::Value const&, mozilla::dom::ipc::StructuredCloneData&) /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:450:9 #20 0x7facdd7eeb15 in nsFrameMessageManager::DispatchAsyncMessage(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, JS::Handle<JSObject*>, nsIPrincipal*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:656:31 #21 0x7facde3d8cad in SendAsyncMessage /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.h:201:5 #22 0x7facde3d8cad in SendAsyncMessage /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/MessageManagerGlobal.h:78 #23 0x7facde3d8cad in mozilla::dom::ContentFrameMessageManagerBinding::sendAsyncMessage(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ContentFrameMessageManager*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MessageManagerBinding.cpp:2849 #24 0x7face003ca83 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3260:13 #25 0x274ff13b837f (<unknown module>) #26 0x621001e6f6df (<unknown module>) #27 0x274ff13b7f40 (<unknown module>) #28 0x621001b5b137 (<unknown module>) #29 0x274ff13654e1 (<unknown module>) #30 0x7face6e808b6 in EnterJit /builds/worker/workspace/build/src/js/src/jit/Jit.cpp:99:9 #31 0x7face6e808b6 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/jit/Jit.cpp:163 #32 0x7face68d4174 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:402:34 #33 0x7face6903255 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 #34 0x7face69044d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10 #35 0x7face7443b80 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2922:12 #36 0x7facdc2b3a6a in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1123:23 #37 0x7facda98fc10 in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:119:28 #38 0x7facda98eb8a in SharedStub (/home/fuzzer/browsers/firefox/libxul.so+0x20aab8a) #39 0x7facdc7975dc in nsDocLoader::OnSecurityChange(nsISupports*, unsigned int) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1477:3 #40 0x7face609d245 in TellTheWorld /builds/worker/workspace/build/src/security/manager/ssl/nsSecureBrowserUIImpl.cpp:1042:25 #41 0x7face609d245 in nsSecureBrowserUIImpl::UpdateSecurityState(nsIRequest*, bool, bool) /builds/worker/workspace/build/src/security/manager/ssl/nsSecureBrowserUIImpl.cpp:1027 #42 0x7face609c188 in nsSecureBrowserUIImpl::EvaluateAndUpdateSecurityState(nsIRequest*, nsISupports*, bool, bool) /builds/worker/workspace/build/src/security/manager/ssl/nsSecureBrowserUIImpl.cpp:409:3 #43 0x7face60a05a7 in nsSecureBrowserUIImpl::OnLocationChange(nsIWebProgress*, nsIRequest*, nsIURI*, unsigned int) /builds/worker/workspace/build/src/security/manager/ssl/nsSecureBrowserUIImpl.cpp:1112:5 SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:5 in memcpy Shadow bytes around the buggy address: 0x0c428005cf90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c428005cfa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c428005cfb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c428005cfc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c428005cfd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c428005cfe0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c428005cff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c428005d000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c428005d010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c428005d020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c428005d030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27052==ABORTING
Group: firefox-core-security → layout-core-security
status-firefox62: --- → affected
Component: Untriaged → CSS Parsing and Computation
Keywords: csectype-uaf
Product: Firefox → Core
misdirected memcpy of 8Mb in Rust code seems pretty scary, if these stacks make any kind of sense. Francisco: any idea what you were doing here? Emilio: Does this stack give you any clues? Maybe a bit string coming in from IPC and not held on to? Where do we get WeakAtoms from?
Flags: needinfo?(rs)
Flags: needinfo?(emilio)
WeakAtom is basically where the atom implementation goes, so that indicates a refcount messup, either in the style code or somewhere else in Gecko. There are a bunch of Gecko callers which seem to mess up atom refcounting looking at the crashtest signature of nsAtom::Release, so knowing what triggered this would be extra-helpful to find out. I did audit style callers manually a bit ago and they all seemed sane.
Flags: needinfo?(emilio)
Flags: needinfo?(rs)
Francisco, I wonder if it would feasible for you to run your fuzzing tests under rr? Then it should be possible for us to reproduce it by just replaying your run.
(In reply to Mats Palmgren (:mats) from comment #3) > Francisco, I wonder if it would feasible for you to run your fuzzing tests > under rr? > Then it should be possible for us to reproduce it by just replaying your run. It is not possible at this moment, once another issue that I have reported is resolved, I will continue to working with Firefox.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.