Closed Bug 1506157 Opened 1 year ago Closed 1 year ago

AddressSanitizer: use-after-poison [@ Type] with READ of size 1

Categories

(Core :: Layout, defect, P2, critical)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected
firefox64 --- unaffected
firefox65 - disabled

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(5 keywords)

Attachments

(1 file)

Testcase found while fuzzing mozilla-central rev 5e7636ec12c5.  I'm currently reducing the testcase and will update once complete.

==19123==ERROR: AddressSanitizer: use-after-poison on address 0x6250002158fd at pc 0x7fa01a7c044b bp 0x7fff3ea08430 sp 0x7fff3ea08428
READ of size 1 at 0x6250002158fd thread T0 (file:// Content)
    #0 0x7fa01a7c044a in Type src/layout/generic/nsIFrame.h:2762:38
    #1 0x7fa01a7c044a in IsColumnSetWrapperFrame src/obj-firefox/dist/include/mozilla/FrameTypeList.h:21
    #2 0x7fa01a7c044a in GetMultiColumnContainingBlockFor src/layout/base/nsCSSFrameConstructor.cpp:618
    #3 0x7fa01a7c044a in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:8773
    #4 0x7fa01a7ba68a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7887:9
    #5 0x7fa01a7ba31a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7871:11
    #6 0x7fa01a7ba31a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7871:11
    #7 0x7fa01a7a0012 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:9089:5
    #8 0x7fa01a71e6ab in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1551:25
    #9 0x7fa01a72fae3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3065:9
    #10 0x7fa01a6ce875 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3142:3
    #11 0x7fa01a6ce875 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4359
    #12 0x7fa01a63c96e in FlushPendingNotifications src/layout/base/nsIPresShell.h:591:5
    #13 0x7fa01a63c96e in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1907
    #14 0x7fa01a6507c3 in TickDriver src/layout/base/nsRefreshDriver.cpp:326:13
    #15 0x7fa01a6507c3 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:301
    #16 0x7fa01a6501bc in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:319:5
    #17 0x7fa01a65344f in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:760:5
    #18 0x7fa01a65344f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:676
    #19 0x7fa01a652d82 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:573:9
    #20 0x7fa01b1636b8 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:76:16
    #21 0x7fa011d30ef5 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #22 0x7fa011abc18d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #23 0x7fa0112a42c9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2244:25
    #24 0x7fa01129fc4a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2171:17
    #25 0x7fa0112a1e51 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2008:5
    #26 0x7fa0112a2d17 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2041:15
    #27 0x7fa010033b81 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1246:14
    #28 0x7fa01003c92d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
    #29 0x7fa0112ad62f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #30 0x7fa0111a9aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #31 0x7fa0111a9aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #32 0x7fa0111a9aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #33 0x7fa019f71003 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #34 0x7fa01e840e3e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:954:22
    #35 0x7fa0111a9aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #36 0x7fa0111a9aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #37 0x7fa0111a9aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #38 0x7fa01e83fe9b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:780:34
    #39 0x55fb60507864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #40 0x55fb60507864 in main src/browser/app/nsBrowserApp.cpp:287
    #41 0x7fa033017b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #42 0x55fb6042ceec in _start (/home/worker/firefox-asan/firefox+0x2deec)

0x6250002158fd is located 4093 bytes inside of 8192-byte region [0x625000214900,0x625000216900)
allocated by thread T0 (file:// Content) here:
    #0 0x55fb604d4d93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7fa00ffd0e30 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
    #2 0x7fa00ffc66a8 in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228:25
    #3 0x7fa00ffc66a8 in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
    #4 0x7fa00ffc66a8 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
    #5 0x7fa01a970a7a in AllocateByFrameID src/layout/base/nsPresArena.h:39:12
    #6 0x7fa01a970a7a in AllocateFrame src/layout/base/nsIPresShell.h:207
    #7 0x7fa01a970a7a in operator new src/layout/generic/ViewportFrame.cpp:34
    #8 0x7fa01a970a7a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) src/layout/generic/ViewportFrame.cpp:31
    #9 0x7fa01a784013 in nsCSSFrameConstructor::ConstructRootFrame() src/layout/base/nsCSSFrameConstructor.cpp:2712:5
    #10 0x7fa01a6aa0e2 in mozilla::PresShell::Initialize() src/layout/base/PresShell.cpp:1798:36
    #11 0x7fa0141b7f71 in nsContentSink::StartLayout(bool) src/dom/base/nsContentSink.cpp:1276:26
    #12 0x7fa012b34d22 in nsHtml5TreeOpExecutor::StartLayout(bool*) src/parser/html/nsHtml5TreeOpExecutor.cpp:677:18
    #13 0x7fa012b3035b in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) src/parser/html/nsHtml5TreeOperation.cpp:1204:17
    #14 0x7fa012b2d24a in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:493:17
    #15 0x7fa012b3a36f in nsHtml5ExecutorReflusher::Run() src/parser/html/nsHtml5TreeOpExecutor.cpp:59:16
    #16 0x7fa00fff6685 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #17 0x7fa010033b81 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1246:14
    #18 0x7fa01003c92d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
    #19 0x7fa0112ad62f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #20 0x7fa0111a9aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #21 0x7fa0111a9aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #22 0x7fa0111a9aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #23 0x7fa019f71003 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #24 0x7fa01e840e3e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:954:22
    #25 0x7fa0111a9aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #26 0x7fa0111a9aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #27 0x7fa0111a9aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #28 0x7fa01e83fe9b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:780:34

SUMMARY: AddressSanitizer: use-after-poison src/layout/generic/nsIFrame.h:2762:38 in Type
Shadow bytes around the buggy address:
  0x0c4a8003aac0: 00 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7
  0x0c4a8003aad0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a8003aae0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a8003aaf0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a8003ab00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a8003ab10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]
  0x0c4a8003ab20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a8003ab30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a8003ab40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a8003ab50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a8003ab60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==19123==ABORTING
Attached file testcase.html
Flags: in-testsuite?
Group: core-security → layout-core-security
Priority: -- → P2
Flags: needinfo?(aethanyc)
We don't need to track this for 65 since it's behind a pref.
I need some advice to reproduce this locally. I've downloaded the artifact AddressSanitizer debug build from [1], and run a command like 

"./firefox -layoutdebug -P asan 1506157.html" where the asan profile has "layout.css.column-span.enabled=true"

However, I cannot reproduce this bug and many other AddressSanitizer ones blocking bug 1421105. 

Did I miss something?
 
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer
Flags: needinfo?(twsmith)
Flags: needinfo?(jkratzer)
(In reply to Ting-Yu Lin [:TYLin] (UTC-8) from comment #3)
> Did I miss something?

I also can't reproduce the issue. My guess is that this was actually a dup of another bug. I know there were other similar memory corruption issues reported at the same time.

Feel free to close it and I'll set layout.css.column-span.enabled=true in the fuzzers. We this hit issue frequently so if it's in there we should be able to find it again quickly.
Flags: needinfo?(twsmith)
Flags: needinfo?(aethanyc)
oops checked the wrong ni? box.
Flags: needinfo?(jkratzer) → needinfo?(aethanyc)
Tyson, 

Thanks for the prompt feedback. I'll test other bugs and close them if I cannot produce it by loading the test case to the Asan build.

Meanwhile, I'm fixing known issues related to column-span in bug 1507244, bug 1506314, bug 1507196, etc. We might be better to enable layout.css.column-span.enabled in the fuzzers after they're landed to avoid dup issues. I'll give you a signal in bug 1491723 when it's ready.
Flags: needinfo?(aethanyc) → needinfo?(twsmith)
That works for me, thanks.
Flags: needinfo?(twsmith)
Tested on Asan Nightly 2018-12-18. Close this because it is no longer reproducible per comment 3 and comment 4.
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.