Closed
Bug 1507269
Opened 4 years ago
Closed 4 years ago
AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:307:27 in get
Categories
(Core :: Layout: Columns, defect, P2)
Core
Layout: Columns
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | unaffected |
| firefox65 | - | disabled |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords)
Attachments
(1 file)
|
458 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 073045259e75.
==20615==ERROR: AddressSanitizer: use-after-poison on address 0x6250004d1500 at pc 0x7fb7189f7ef3 bp 0x7ffe32903e50 sp 0x7ffe32903e48
READ of size 8 at 0x6250004d1500 thread T0
#0 0x7fb7189f7ef2 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:307:27
#1 0x7fb7189f7ef2 in operator-> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:339
#2 0x7fb7189f7ef2 in StyleUIReset /builds/worker/workspace/build/src/layout/style/nsStyleStructList.h:49
#3 0x7fb7189f7ef2 in nsIFrame::IsSelectable(mozilla::StyleUserSelect*) const /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:4163
#4 0x7fb7122d0693 in nsRange::ExcludeNonSelectableNodes(nsTArray<RefPtr<nsRange> >*) /builds/worker/workspace/build/src/dom/base/nsRange.cpp:3339:33
#5 0x7fb711f56fd1 in mozilla::dom::Selection::UserSelectRangesToAdd(nsRange*, nsTArray<RefPtr<nsRange> >&) /builds/worker/workspace/build/src/dom/base/Selection.cpp:969:10
#6 0x7fb711f5031e in mozilla::dom::Selection::AddItem(nsRange*, int*, bool) /builds/worker/workspace/build/src/dom/base/Selection.cpp:1010:7
#7 0x7fb711f69baf in mozilla::dom::Selection::SetAnchorFocusToRange(nsRange*) /builds/worker/workspace/build/src/dom/base/Selection.cpp:2564:9
#8 0x7fb711f6b8c1 in mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Selection.cpp:2753:11
#9 0x7fb711f6e3d8 in mozilla::dom::Selection::SelectAllChildren(nsINode&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Selection.cpp:2977:3
#10 0x7fb7182017c9 in mozilla::HTMLEditor::SelectAllInternal() /builds/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:3959:22
#11 0x7fb71805819f in mozilla::EditorBase::SelectAll() /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:1040:17
#12 0x7fb718093dbc in mozilla::SelectAllCommand::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/editor/libeditor/EditorCommands.cpp:877:22
#13 0x7fb715917295 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:150:26
#14 0x7fb71590d85c in nsBaseCommandController::DoCommand(char const*) /builds/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:132:25
#15 0x7fb715913247 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /builds/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:212:22
#16 0x7fb715fb8b95 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3017:18
#17 0x7fb714c86a3f in mozilla::dom::HTMLDocument_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:618:21
#18 0x7fb71522d2d4 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3374:13
#19 0x7fb71e4beb0d in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
#20 0x7fb71e4beb0d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560
#21 0x7fb71e4a832a in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:620:12
#22 0x7fb71e4a832a in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3461
#23 0x7fb71e48bb96 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:12
#24 0x7fb71e4bf4b1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:587:15
#25 0x7fb71e4c1132 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:633:10
#26 0x7fb71d55cd66 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2975:12
#27 0x7fb714838ed9 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37
#28 0x7fb715ac12e9 in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#29 0x7fb715abe579 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214:12
#30 0x7fb715a725da in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1107:52
#31 0x7fb715a74bd7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1309:15
#32 0x7fb715a56766 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#33 0x7fb715a56766 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:425
#34 0x7fb715a549e8 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:642:16
#35 0x7fb715a5b440 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1164:11
#36 0x7fb71874311e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1167:7
#37 0x7fb71b9a5033 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7050:21
#38 0x7fb71b9a0859 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6841:7
#39 0x7fb71b9a9667 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#40 0x7fb71077f745 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1309:3
#41 0x7fb71077e32c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:852:14
#42 0x7fb710779c68 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:741:9
#43 0x7fb710779c81 in ChildDoneWithOnload /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.h:204:9
#44 0x7fb710779c81 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:744
#45 0x7fb71077c5be in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:630:5
#46 0x7fb71077de54 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#47 0x7fb70e124737 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:630:28
#48 0x7fb712124567 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8517:18
#49 0x7fb712124567 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8439
#50 0x7fb7120fe5e2 in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5332:3
#51 0x7fb71225e56b in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1191:12
#52 0x7fb71225e56b in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1197
#53 0x7fb71225e56b in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1242
#54 0x7fb70de9e561 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1244:14
#55 0x7fb70dea730d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#56 0x7fb70f117d5f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#57 0x7fb70f01420e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#58 0x7fb70f01420e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#59 0x7fb70f01420e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#60 0x7fb717ebd983 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#61 0x7fb71c4b71d0 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:290:30
#62 0x7fb71c785f8e in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4789:22
#63 0x7fb71c788860 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4934:8
#64 0x7fb71c78a1e3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5026:21
#65 0x5562d08f267c in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:233:22
#66 0x5562d08f267c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:315
#67 0x7fb730f97b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#68 0x5562d0817eec in _start (/home/forb1dden/builds/mc-asan/firefox+0x2deec)
0x6250004d1500 is located 3072 bytes inside of 8192-byte region [0x6250004d0900,0x6250004d2900)
allocated by thread T0 here:
#0 0x5562d08bfd93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x7fb70de3b8a0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
#2 0x7fb70de31118 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228:25
#3 0x7fb70de31118 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
#4 0x7fb70de31118 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
#5 0x7fb7188bc11a in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12
#6 0x7fb7188bc11a in AllocateFrame /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:207
#7 0x7fb7188bc11a in operator new /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:34
#8 0x7fb7188bc11a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:31
#9 0x7fb7186cf3a3 in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2712:5
#10 0x7fb7185f5752 in mozilla::PresShell::Initialize() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1798:36
#11 0x7fb71203e131 in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1276:26
#12 0x7fb7109ac822 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:677:18
#13 0x7fb7109a8ae7 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1201:17
#14 0x7fb7109a5a7a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:493:17
#15 0x7fb7109b0ecb in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:123:18
#16 0x7fb70de9e561 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1244:14
#17 0x7fb70dea730d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#18 0x7fb70f117d5f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#19 0x7fb70f01420e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#20 0x7fb70f01420e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#21 0x7fb70f01420e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#22 0x7fb717ebd983 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#23 0x7fb71c4b71d0 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:290:30
#24 0x7fb71c785f8e in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4789:22
#25 0x7fb71c788860 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4934:8
#26 0x7fb71c78a1e3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5026:21
SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:307:27 in get
Shadow bytes around the buggy address:
0x0c4a80092250: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80092260: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80092270: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80092280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80092290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a800922a0:[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a800922b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a800922c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a800922d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a800922e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a800922f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==20615==ABORTINGFlags: in-testsuite?
|
||
Updated•4 years ago
|
Group: core-security → layout-core-security
status-firefox63:
--- → unaffected
status-firefox64:
--- → unaffected
status-firefox-esr60:
--- → unaffected
tracking-firefox65:
--- → +
|
||
Comment 1•4 years ago
|
||
I think from the stack this looks like an honest nsIFrame frame-poisoning mitigation crash. If it's not it would be higher severity.
Keywords: csectype-framepoisoning,
sec-low
|
||
Comment 2•4 years ago
|
||
Testcase has "column-span:all".
Component: Layout → Layout: Columns
Flags: needinfo?(aethanyc)
OS: Unspecified → All
Priority: -- → P2
Hardware: Unspecified → All
|
|
||
Comment 3•4 years ago
|
||
We don't need to track this for 65 since it's sec-low and behind a pref.
|
||
Comment 4•4 years ago
|
||
I cannot reproduce this bug on 2018-12-20 fuzzing asan opt build [1] with prefs [2] having layout.css.column-span.enabled=true. Close as WORKSFORME. [1] https://tools.taskcluster.net/index/gecko.v2.mozilla-central.latest.firefox/linux64-fuzzing-asan-opt [2] https://github.com/MozillaSecurity/fuzzdata/blob/00d671853af1bea93bae22f5e052138c7a8f269d/settings/firefox/prefs-default.js
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(aethanyc)
Resolution: --- → WORKSFORME
|
|
||
Updated•3 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•