1509581 - Use-After-Free Crash in MergeState::UpdateContainerASR

Status: RESOLVED WORKSFORME

(Core :: Web Painting, defect, P3)

Description

[[:philipp]]

This bug was filed from the Socorro interface and is
report bp-0d0d51e1-ab73-440a-bc57-b4fb70181123.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll void MergeState::UpdateContainerASR layout/painting/RetainedDisplayListBuilder.cpp:483
1 xul.dll void MergeState::ProcessOldNode layout/painting/RetainedDisplayListBuilder.cpp:539
2 xul.dll class RetainedDisplayList MergeState::Finalize layout/painting/RetainedDisplayListBuilder.cpp:437
3 xul.dll bool RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:663
4 xul.dll void MergeState::ProcessOldNode layout/painting/RetainedDisplayListBuilder.cpp:524
5 xul.dll class RetainedDisplayList MergeState::Finalize layout/painting/RetainedDisplayListBuilder.cpp:437
6 xul.dll bool RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:663
7 xul.dll struct Index<MergedListUnits> MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:335
8 xul.dll bool RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:659
9 xul.dll RetainedDisplayListBuilder::AttemptPartialUpdate layout/painting/RetainedDisplayListBuilder.cpp:1419

=============================================================

this content crash signature is newly showing up since firefox 61, presumably due to bug 1443027.
most reports appear to be security sensitive.

Comment 1

[Pascal Chevrel:pascalc (PTO until April 26)]

wontfix for 63 as we have no plan for another dot release before 64 ships in 2 weeks from now.

Comment 2

[Ryan VanderMeulen [:RyanVM]]

Miko, can you please take a look at the crash stacks to see if anything stands out?

Comment 3

[Miko Mynttinen]

This looks a bit similar to other crashes we have, where DisplayItemClipChain of a display item is corrupted.

Comment 4

[Daniel Veditz [:dveditz]]

There could be multiple causes here, but the use-after-free crashes are sec-high

Comment 6

[Jessie [:jbonisteel] pls NI]

Miko, does this bug look actionable?

Comment 7

[Miko Mynttinen]

(In reply to Jessie [:jbonisteel] plz needinfo from comment #6)

Miko, does this bug look actionable?

Sadly, no. This looks like it belongs to a class of stalled bugs where display item/display item clip chain arena gets bogus/corrupted entries. The only lead we have here, is that it seems to happen more often with Windows 7.

Comment 8

[David Lawrence [:dkl]]

Removing employee no longer with company from CC list of private bugs.

Comment 9

[Timothy Nikkel (:tnikkel)]

No crashes on crash stats, lowering severity, -> S3.

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:tnikkel, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Comment 11

[Daniel Veditz [:dveditz]]

There are only two crashes with this signature in the last 6 months. One in Fenix 86 that's crashing on the UAF poison value (consistent with the original report), and one in ESR 102.8 on Linux that looks like a bit-flip

bp-1bbee9b8-8a67-4422-a29d-e335e0230302 crashes on an access of 0x08007f645a8f05e0 (rax + 0x20). Several other registers have values like 0x00007f645-------, reasonably close to the crashing address if you ignore that one highish bit. Given we have a significant number of ESR 102 users and the former UAF crashes were not rare we can safely assume this got fixed in another bug along the way.

Comment 12

[BugBot (nomail) [:suhaib / :marco/ :calixte]]

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.