Closed Bug 1518960 Opened 6 years ago Closed 6 years ago

AddressSanitizer: heap-buffer-overflow [@ mozilla::a11y::DocAccessibleChildBase::ActorDestroy] with WRITE of size 8

Categories

(Core :: Disability Access APIs, defect, P2)

Product:
Core
Component:
Disability Access APIs
Platform:
x86_64
Windows
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1512567
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- unaffected
firefox65 --- wontfix
firefox66 --- fixed
firefox67 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords)

Crash Data

Attachments

(2 files)

Detailed Crash Information
7.56 KB, text/plain
Details
Detailed Crash Information
21.28 KB, text/plain
Details

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 66.0a1-20190105215256-https://hg.mozilla.org/mozilla-central/rev/c1eea02ba0c0df7868b43ab4c30e57655938969e.

For detailed crash information, see attachment.

Flags: sec-bounty?

Hi Jamie, can you help find someone to look into this?

Group: core-security → dom-core-security
Flags: needinfo?(jteh)

According to the stack, this occurs when the DocAccessibleChild actor tries to clear the IPC doc from its associated DocAccessible:

55 mDoc->SetIPCDoc(nullptr);

If I understand this correctly, it would seem that mDoc is now an invalid pointer. In order for that to happen, the DocAccessible must have been destroyed before ActorDestroy was called. However, when a DocAccessible is destroyed, it calls DocAccessibleChild::Shutdown, which calls DetachDocument and thus sets mDoc to null. So, I don't understand how mDoc could be invalid!

Eitan, any ideas?

Flags: needinfo?(jteh) → needinfo?(eitan)

the small number of crashes in the wild seemed to start around Dec 11 with Fx65 if that helps point to anything.

Keywords: csectype-wildptr, sec-high

I'll look at this further, fyi I think this is a dub of bug 1512567. Which I have been struggling to reproduce. Didn't actually try to wrap my head around the stack trace.. I'll do that next.

status-firefox64: unaffected → ---
status-firefox65: affected → ---
Flags: needinfo?(eitan)
Keywords: csectype-wildptr, sec-high
Priority: -- → P2
I just received another report from the same reporter, with identical stack, except that the report indicates a heap-use-after-free and not a heap-buffer-overflow. It is plausible that this is the same bug, attaching the stack here for investigation.
Component: DOM → Disability Access APIs

Eitan, did the extra information above help out at all? Do you think this issue is actionable or should we consider it stalled?

Flags: needinfo?(eitan)

Thanks for the ping Liz. I got back to this. It looks like we get into a condition where we set two IPC docs for a DocAccessible. So the last one set is referenced by the doc and gets shutdown with it, and successfully detaches from the DocAccessible (which is subsequently freed). The second one is just dangling somewhere until its ActorDestroy gets called from its manager, at that point it tries to unset itself from a doc that already doesn't exist.

The condition where a doc gets set with two IPC docs is when NotificationController::WillRefresh creates one before DocAccessible::DoInitialUpdate does. The latter doesn't check to see if an ipc doc is already set.

Flags: needinfo?(eitan)

The patch in bug 1512567 should remedy this. Once it is confirmed we can close this as dup.

Group: dom-core-security → layout-core-security

I am not seeing crashes anymore, should that bug be closed as fixed?

I have not seen this happening since 2019-02-22 anymore while it was happening once a few days before. So I assume it is plausible that bug 1512567 fixed this.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: