Open Bug 1479897 Opened 2 years ago Updated 2 years ago

use-after-poison in [@ AutoWeakFrame::Init]

Categories

(Core :: Layout, defect, P3)

defect

Tracking

()

Tracking Status
firefox63 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(2 files)

Reduced with m-c:
BuildID=20180731183034
SourceStamp=5a5fb40fb92245de198f4fc48c1187a2b5abd02a

==118691==ERROR: AddressSanitizer: use-after-poison on address 0x625000f051e8 at pc 0x7f22a48e85c3 bp 0x7fff69e7cc80 sp 0x7fff69e7cc78
READ of size 8 at 0x625000f051e8 thread T0
    #0 0x7f22a48e85c2 in get src/obj-firefox/dist/include/mozilla/RefPtr.h:296:27
    #1 0x7f22a48e85c2 in operator mozilla::ComputedStyle * src/obj-firefox/dist/include/mozilla/RefPtr.h:309
    #2 0x7f22a48e85c2 in Style src/layout/generic/nsIFrame.h:783
    #3 0x7f22a48e85c2 in PresContext src/layout/generic/nsIFrame.h:628
    #4 0x7f22a48e85c2 in AutoWeakFrame::Init(nsIFrame*) src/layout/generic/nsFrame.cpp:479
    #5 0x7f22a4dd53ee in AutoWeakFrame src/layout/generic/nsIFrame.h:4581:5
    #6 0x7f22a4dd53ee in nsXULPopupManager::HidePopupCallback(nsIContent*, nsMenuPopupFrame*, nsIContent*, nsIContent*, nsPopupType, bool) src/layout/xul/nsXULPopupManager.cpp:1153
    #7 0x7f22a4dd42b7 in nsXULPopupManager::FirePopupHidingEvent(nsIContent*, nsIContent*, nsIContent*, nsPresContext*, nsPopupType, bool, bool) src/layout/xul/nsXULPopupManager.cpp:1613:7
    #8 0x7f22a4dc7fe9 in nsXULPopupManager::HidePopup(nsIContent*, bool, bool, bool, bool, nsIContent*) src/layout/xul/nsXULPopupManager.cpp:1068:7
    #9 0x7f22a3c110da in mozilla::dom::XULPopupElement::HidePopup(bool) src/dom/xul/XULPopupElement.cpp:121:9
    #10 0x7f22a11daf90 in mozilla::dom::XULPopupElement_Binding::hidePopup(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XULPopupElement*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/XULPopupElementBinding.cpp:906:9
    #11 0x7f22a1bed935 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3311:13
    #12 0x7f22a7f5beae in CallJSNative src/js/src/vm/Interpreter.cpp:444:15
    #13 0x7f22a7f5beae in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:532
    #14 0x7f22a7f5dd12 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:602:10
    #15 0x7f22a8b76015 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/Wrapper.cpp:176:12
    #16 0x7f22a8b3b158 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
    #17 0x7f22a8b50be3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) src/js/src/proxy/Proxy.cpp:510:21
    #18 0x7f22a7f5cda4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:508:20
    #19 0x7f22a7f46ac2 in CallFromStack src/js/src/vm/Interpreter.cpp:589:12
    #20 0x7f22a7f46ac2 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3239
    #21 0x7f22a7f2ca5a in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:12
    #22 0x7f22a7f5c784 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:556:15
    #23 0x7f22a822e4d7 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:2582:14
    #24 0x30fd635821b7  (<unknown module>)

0x625000f051e8 is located 232 bytes inside of 8192-byte region [0x625000f05100,0x625000f07100)
allocated by thread T0 here:
    #0 0x4c1e03 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7f229c27c5b3 in AllocateChunk src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
    #2 0x7f229c27c5b3 in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228
    #3 0x7f229c27c5b3 in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
    #4 0x7f229c27c5b3 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
    #5 0x7f22a4f5acc6 in AllocateByObjectID src/layout/base/nsPresArena.h:52:12
    #6 0x7f22a4f5acc6 in AllocateByObjectID src/layout/base/nsIPresShell.h:226
    #7 0x7f22a4f5acc6 in operator new src/layout/painting/FrameLayerBuilder.h:96
    #8 0x7f22a4f5acc6 in mozilla::FrameLayerBuilder::StoreDataForFrame(nsDisplayItem*, mozilla::layers::Layer*, mozilla::LayerState, mozilla::DisplayItemData*) src/layout/painting/FrameLayerBuilder.cpp:5536
    #9 0x7f22a4f5cb40 in mozilla::FrameLayerBuilder::AddPaintedDisplayItem(mozilla::PaintedLayerData*, mozilla::AssignedDisplayItem&, mozilla::ContainerState&, mozilla::layers::Layer*) src/layout/painting/FrameLayerBuilder.cpp:5403:14
    #10 0x7f22a4f2ed44 in FinishPaintedLayerData<(lambda at src/layout/painting/FrameLayerBuilder.cpp:3210:52)> src/layout/painting/FrameLayerBuilder.cpp:3578:20
    #11 0x7f22a4f2ed44 in mozilla::PaintedLayerDataNode::PopAllPaintedLayerData() src/layout/painting/FrameLayerBuilder.cpp:3210
    #12 0x7f22a4f2db4d in mozilla::PaintedLayerDataNode::Finish(bool) src/layout/painting/FrameLayerBuilder.cpp:3175:3
    #13 0x7f22a4f2de57 in mozilla::PaintedLayerDataNode::FinishAllChildren(bool) src/layout/painting/FrameLayerBuilder.cpp:3164:19
    #14 0x7f22a4f35686 in Finish src/layout/painting/FrameLayerBuilder.cpp:3173:3
    #15 0x7f22a4f35686 in mozilla::PaintedLayerDataTree::Finish() src/layout/painting/FrameLayerBuilder.cpp:3235
    #16 0x7f22a4f6824c in mozilla::ContainerState::Finish(unsigned int*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsDisplayList*) src/layout/painting/FrameLayerBuilder.cpp:5967:25
    #17 0x7f22a4f6b16d in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) src/layout/painting/FrameLayerBuilder.cpp:6346:9
    #18 0x7f22a5040571 in nsDisplayOpacity::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) src/layout/painting/nsDisplayList.cpp:6103:5
    #19 0x7f22a4f5072f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) src/layout/painting/FrameLayerBuilder.cpp:4892:38
    #20 0x7f22a4f6afe1 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) src/layout/painting/FrameLayerBuilder.cpp:6339:9
    #21 0x7f22a505d7b3 in nsDisplayTransform::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) src/layout/painting/nsDisplayList.cpp:8381:5
    #22 0x7f22a4f5072f in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) src/layout/painting/FrameLayerBuilder.cpp:4892:38
    #23 0x7f22a4f6afe1 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) src/layout/painting/FrameLayerBuilder.cpp:6339:9
    #24 0x7f22a500186d in nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool) src/layout/painting/nsDisplayList.cpp:2525:9
    #25 0x7f22a500380b in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2736:20
    #26 0x7f22a4737041 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3843:12
    #27 0x7f22a4628006 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6343:5
Flags: in-testsuite?
Attached file testcase.html
Attached file prefs.js
Not sure if this is required but it does make reproducing the issue much faster
Hey Sean, Can you find an owner for this?  Thanks!
Flags: needinfo?(svoisen)
Priority: -- → P1
This looks like legit frame-poisoning so shouldn't be exploitable.
Group: layout-core-security
heycam: Thoughts on this?
Flags: needinfo?(svoisen) → needinfo?(cam)
This seems to be in XUL code (notice XULPopupElement / nsXULPopupManager code in the backtrace).  Given that we're moving away from XUL in general, this is probably low priority given that it doesn't seem to be exploitable.  We don't want to invest too much in making XUL better at this point.

(I don't know specifically about the replacement plans for XULPopupElement, but I assume it's doomed like the rest of XUL)
De-prioritizing to P3 given the input from dveditz and dholbert.
Flags: needinfo?(cam)
Priority: P1 → P3
You need to log in before you can comment on or make changes to this bug.