Closed
Bug 1506717
Opened 6 years ago
Closed 5 years ago
AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsQueryFrame.h:114:45 in operator nsIScrollableFrame *<nsIScrollableFrame>
Categories
(Core :: Layout: Columns, defect, P2)
Core
Layout: Columns
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | unaffected |
| firefox65 | - | disabled |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(5 keywords)
Attachments
(1 file)
|
685 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 5e7636ec12c5.
==32561==ERROR: AddressSanitizer: use-after-poison on address 0x625000267ce0 at pc 0x7f9e03c0cf9b bp 0x7ffebbd38d30 sp 0x7ffebbd38d28
READ of size 8 at 0x625000267ce0 thread T0 (file:// Content)
#0 0x7f9e03c0cf9a in operator nsIScrollableFrame *<nsIScrollableFrame> /builds/worker/workspace/build/src/layout/generic/nsQueryFrame.h:114:45
#1 0x7f9e03c0cf9a in nsLayoutUtils::GetNearestScrollableFrameForDirection(nsIFrame*, nsLayoutUtils::Direction) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:1954
#2 0x7f9e03a92b6f in GetNearestScrollableFrame /builds/worker/workspace/build/src/layout/base/PresShell.cpp:2902:10
#3 0x7f9e03a92b6f in nsIPresShell::GetScrollableFrameToScrollForContent(nsIContent*, nsIPresShell::ScrollDirection) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:2920
#4 0x7f9dfc70b946 in mozilla::layers::FocusTarget::FocusTarget(nsIPresShell*, unsigned long) /builds/worker/workspace/build/src/gfx/layers/apz/src/FocusTarget.cpp:207:16
#5 0x7f9e03ac5ec2 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6286:23
#6 0x7f9e032527cc in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
#7 0x7f9e032515cc in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
#8 0x7f9e03257066 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
#9 0x7f9e03a13aa8 in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2049:11
#10 0x7f9e03a257c3 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:326:13
#11 0x7f9e03a257c3 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:301
#12 0x7f9e03a251bc in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:319:5
#13 0x7f9e03a2844f in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:760:5
#14 0x7f9e03a2844f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:676
#15 0x7f9e03a27d82 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:573:9
#16 0x7f9e045386b8 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:76:16
#17 0x7f9dfb105ef5 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
#18 0x7f9dfae9118d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
#19 0x7f9dfa6792c9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2244:25
#20 0x7f9dfa674c4a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2171:17
#21 0x7f9dfa676e51 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2008:5
#22 0x7f9dfa677d17 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2041:15
#23 0x7f9df9408b81 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1246:14
#24 0x7f9df941192d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#25 0x7f9dfa68262f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#26 0x7f9dfa57eaee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#27 0x7f9dfa57eaee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#28 0x7f9dfa57eaee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#29 0x7f9e03346003 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#30 0x7f9e07c15e3e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:954:22
#31 0x7f9dfa57eaee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#32 0x7f9dfa57eaee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#33 0x7f9dfa57eaee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#34 0x7f9e07c14e9b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:780:34
#35 0x55d726378864 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#36 0x55d726378864 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
#37 0x7f9e1c409b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#38 0x55d72629deec in _start (/home/forb1dden/builds/mc-asan/firefox+0x2deec)
0x625000267ce0 is located 3040 bytes inside of 8192-byte region [0x625000267100,0x625000269100)
allocated by thread T0 (file:// Content) here:
#0 0x55d726345d93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x7f9df93a5e30 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
#2 0x7f9df939b6a8 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228:25
#3 0x7f9df939b6a8 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
#4 0x7f9df939b6a8 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
#5 0x7f9e03d45a7a in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12
#6 0x7f9e03d45a7a in AllocateFrame /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:207
#7 0x7f9e03d45a7a in operator new /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:34
#8 0x7f9e03d45a7a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:31
#9 0x7f9e03b59013 in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2712:5
#10 0x7f9e03a7f0e2 in mozilla::PresShell::Initialize() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1798:36
#11 0x7f9dfd58cf71 in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1276:26
#12 0x7f9dfbf09d22 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:677:18
#13 0x7f9dfbf0535b in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1204:17
#14 0x7f9dfbf0224a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:493:17
#15 0x7f9dfbf0e5db in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:123:18
#16 0x7f9df93cb685 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#17 0x7f9df9408b81 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1246:14
#18 0x7f9df941192d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#19 0x7f9dfa68262f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#20 0x7f9dfa57eaee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#21 0x7f9dfa57eaee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#22 0x7f9dfa57eaee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#23 0x7f9e03346003 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#24 0x7f9e07c15e3e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:954:22
#25 0x7f9dfa57eaee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#26 0x7f9dfa57eaee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#27 0x7f9dfa57eaee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#28 0x7f9e07c14e9b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:780:34
SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsQueryFrame.h:114:45 in operator nsIScrollableFrame *<nsIScrollableFrame>
Shadow bytes around the buggy address:
0x0c4a80044f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80044f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80044f60: 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7
0x0c4a80044f70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80044f80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a80044f90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7
0x0c4a80044fa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80044fb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80044fc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80044fd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80044fe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==32561==ABORTINGFlags: in-testsuite?
|
||
Updated•6 years ago
|
Group: core-security → layout-core-security
|
||
Updated•6 years ago
|
status-firefox63:
--- → unaffected
status-firefox64:
--- → unaffected
status-firefox-esr60:
--- → unaffected
tracking-firefox65:
--- → +
|
|
||
Updated•6 years ago
|
Keywords: csectype-framepoisoning,
sec-low
|
||
Comment 1•6 years ago
|
||
Testcase has "-moz-column-span: all" so I'm guessing this is related to the other column-span bugs filed recently?
Component: Layout → Layout: Columns
Flags: needinfo?(aethanyc)
OS: Unspecified → All
Priority: -- → P2
Hardware: Unspecified → All
|
|
||
Comment 2•6 years ago
|
||
We don't need to track this for 65 since it's sec-low and behind a pref.
|
||
Comment 3•5 years ago
|
||
I cannot reproduce this bug on 2018-12-20 fuzzing asan opt build [1] with prefs [2] having layout.css.column-span.enabled=true. Close as WORKSFORME. [1] https://tools.taskcluster.net/index/gecko.v2.mozilla-central.latest.firefox/linux64-fuzzing-asan-opt [2] https://github.com/MozillaSecurity/fuzzdata/blob/00d671853af1bea93bae22f5e052138c7a8f269d/settings/firefox/prefs-default.js
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(aethanyc)
Resolution: --- → WORKSFORME
|
|
||
Updated•4 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•