Closed Bug 1506717 Opened 6 years ago Closed 6 years ago

AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsQueryFrame.h:114:45 in operator nsIScrollableFrame *<nsIScrollableFrame>

Categories

(Core :: Layout: Columns, defect, P2)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected
firefox64 --- unaffected
firefox65 - disabled

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords)

Attachments

(1 file)

Attached file testcase.html
Testcase found while fuzzing mozilla-central rev 5e7636ec12c5. ==32561==ERROR: AddressSanitizer: use-after-poison on address 0x625000267ce0 at pc 0x7f9e03c0cf9b bp 0x7ffebbd38d30 sp 0x7ffebbd38d28 READ of size 8 at 0x625000267ce0 thread T0 (file:// Content) #0 0x7f9e03c0cf9a in operator nsIScrollableFrame *<nsIScrollableFrame> /builds/worker/workspace/build/src/layout/generic/nsQueryFrame.h:114:45 #1 0x7f9e03c0cf9a in nsLayoutUtils::GetNearestScrollableFrameForDirection(nsIFrame*, nsLayoutUtils::Direction) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:1954 #2 0x7f9e03a92b6f in GetNearestScrollableFrame /builds/worker/workspace/build/src/layout/base/PresShell.cpp:2902:10 #3 0x7f9e03a92b6f in nsIPresShell::GetScrollableFrameToScrollForContent(nsIContent*, nsIPresShell::ScrollDirection) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:2920 #4 0x7f9dfc70b946 in mozilla::layers::FocusTarget::FocusTarget(nsIPresShell*, unsigned long) /builds/worker/workspace/build/src/gfx/layers/apz/src/FocusTarget.cpp:207:16 #5 0x7f9e03ac5ec2 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6286:23 #6 0x7f9e032527cc in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19 #7 0x7f9e032515cc in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33 #8 0x7f9e03257066 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5 #9 0x7f9e03a13aa8 in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2049:11 #10 0x7f9e03a257c3 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:326:13 #11 0x7f9e03a257c3 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:301 #12 0x7f9e03a251bc in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:319:5 #13 0x7f9e03a2844f in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:760:5 #14 0x7f9e03a2844f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:676 #15 0x7f9e03a27d82 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:573:9 #16 0x7f9e045386b8 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:76:16 #17 0x7f9dfb105ef5 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #18 0x7f9dfae9118d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28 #19 0x7f9dfa6792c9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2244:25 #20 0x7f9dfa674c4a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2171:17 #21 0x7f9dfa676e51 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2008:5 #22 0x7f9dfa677d17 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2041:15 #23 0x7f9df9408b81 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1246:14 #24 0x7f9df941192d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10 #25 0x7f9dfa68262f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #26 0x7f9dfa57eaee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #27 0x7f9dfa57eaee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #28 0x7f9dfa57eaee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #29 0x7f9e03346003 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 #30 0x7f9e07c15e3e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:954:22 #31 0x7f9dfa57eaee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #32 0x7f9dfa57eaee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #33 0x7f9dfa57eaee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #34 0x7f9e07c14e9b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:780:34 #35 0x55d726378864 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #36 0x55d726378864 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287 #37 0x7f9e1c409b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #38 0x55d72629deec in _start (/home/forb1dden/builds/mc-asan/firefox+0x2deec) 0x625000267ce0 is located 3040 bytes inside of 8192-byte region [0x625000267100,0x625000269100) allocated by thread T0 (file:// Content) here: #0 0x55d726345d93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3 #1 0x7f9df93a5e30 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15 #2 0x7f9df939b6a8 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228:25 #3 0x7f9df939b6a8 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75 #4 0x7f9df939b6a8 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80 #5 0x7f9e03d45a7a in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12 #6 0x7f9e03d45a7a in AllocateFrame /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:207 #7 0x7f9e03d45a7a in operator new /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:34 #8 0x7f9e03d45a7a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:31 #9 0x7f9e03b59013 in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2712:5 #10 0x7f9e03a7f0e2 in mozilla::PresShell::Initialize() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1798:36 #11 0x7f9dfd58cf71 in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1276:26 #12 0x7f9dfbf09d22 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:677:18 #13 0x7f9dfbf0535b in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1204:17 #14 0x7f9dfbf0224a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:493:17 #15 0x7f9dfbf0e5db in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:123:18 #16 0x7f9df93cb685 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32 #17 0x7f9df9408b81 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1246:14 #18 0x7f9df941192d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10 #19 0x7f9dfa68262f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #20 0x7f9dfa57eaee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #21 0x7f9dfa57eaee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #22 0x7f9dfa57eaee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #23 0x7f9e03346003 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 #24 0x7f9e07c15e3e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:954:22 #25 0x7f9dfa57eaee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #26 0x7f9dfa57eaee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #27 0x7f9dfa57eaee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #28 0x7f9e07c14e9b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:780:34 SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsQueryFrame.h:114:45 in operator nsIScrollableFrame *<nsIScrollableFrame> Shadow bytes around the buggy address: 0x0c4a80044f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a80044f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a80044f60: 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 0x0c4a80044f70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a80044f80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x0c4a80044f90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 0x0c4a80044fa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a80044fb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a80044fc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a80044fd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a80044fe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==32561==ABORTING
Flags: in-testsuite?
Group: core-security → layout-core-security
Testcase has "-moz-column-span: all" so I'm guessing this is related to the other column-span bugs filed recently?
Component: Layout → Layout: Columns
Flags: needinfo?(aethanyc)
OS: Unspecified → All
Priority: -- → P2
Hardware: Unspecified → All
We don't need to track this for 65 since it's sec-low and behind a pref.
I cannot reproduce this bug on 2018-12-20 fuzzing asan opt build [1] with prefs [2] having layout.css.column-span.enabled=true. Close as WORKSFORME. [1] https://tools.taskcluster.net/index/gecko.v2.mozilla-central.latest.firefox/linux64-fuzzing-asan-opt [2] https://github.com/MozillaSecurity/fuzzdata/blob/00d671853af1bea93bae22f5e052138c7a8f269d/settings/firefox/prefs-default.js
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(aethanyc)
Resolution: --- → WORKSFORME
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: