Closed Bug 1547897 Opened 1 year ago Closed 11 months ago

AddressSanitizer: stack-overflow /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:404 in __asan::GetCurrentThread()

Categories

(Core :: DOM: Editor, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox-esr60 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- fixed

People

(Reporter: jkratzer, Assigned: masayuki)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 420e18a75314.

==25827==ERROR: AddressSanitizer: stack-overflow on address 0x7fff7f1ffff8 (pc 0x55786b6e45f1 bp 0x000000000053 sp 0x7fff7f200000 T0)
    #0 0x55786b6e45f0 in __asan::GetCurrentThread() /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:404
    #1 0x55786b68e0af in __tls_get_addr /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:5108:3
    #2 0x7f9648f3b042 in _$LT$core..cell..Cell$LT$T$GT$$GT$::get::h3d7388ced6d8decf /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libcore/cell.rs:249:16
    #3 0x7f9648f3b042 in _$LT$std..thread..local..fast..Key$LT$T$GT$$GT$::get::h9a4f441257a47656 /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:375
    #4 0x7f9648f3b042 in style::sharing::SHARING_CACHE_KEY::__getit::h39eb9af1526d9223 /builds/worker/workspace/build/src/<::std::thread::local::__thread_local_inner macros>:23
    #5 0x7f9648f3b042 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::try_with::h245fabef33f11428 /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:297
    #6 0x7f9648f3b042 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::with::he5f0be01b5c3942a /rustc/91856ed52c58aa5ba66a015354d1cc69e9779bdf/src/libstd/thread/local.rs:246
    #7 0x7f9648f3b042 in _$LT$style..sharing..StyleSharingCache$LT$E$GT$$GT$::new::ha71dd31374b7d3d5 /builds/worker/workspace/build/src/servo/components/style/sharing/mod.rs:541
    #8 0x7f9649001941 in _$LT$style..context..ThreadLocalStyleContext$LT$E$GT$$GT$::new::h8e0fc5583d2364df /builds/worker/workspace/build/src/servo/components/style/context.rs:783:27
    #9 0x7f9649001941 in Servo_ResolveStyleLazily /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:4914
    #10 0x7f964282efd3 in mozilla::ServoStyleSet::ResolveStyleLazily(mozilla::dom::Element&, mozilla::PseudoStyleType, mozilla::StyleRuleInclusion) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1094:10
    #11 0x7f964286b5d3 in nsComputedDOMStyle::DoGetComputedStyleNoFlush(mozilla::dom::Element*, nsAtom*, mozilla::PresShell*, nsComputedDOMStyle::StyleType) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:573:17
    #12 0x7f96424454b6 in GetComputedStyleNoFlush /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.h:95:12
    #13 0x7f96424454b6 in mozilla::EditorBase::IsPreformatted(nsINode*) /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:3718
    #14 0x7f96426eeafe in mozilla::WSRunObject::GetRuns() /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.cpp:880:10
    #15 0x7f96424a441c in mozilla::WSRunObject::WSRunObject(mozilla::HTMLEditor*, nsINode*, int) /builds/worker/workspace/build/src/editor/libeditor/WSRunObject.h:173:9
    #16 0x7f964251b664 in mozilla::HTMLEditRules::CheckForInvisibleBR(mozilla::dom::Element&, mozilla::HTMLEditRules::BRLocation, int) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:6477:15
    #17 0x7f96425109c3 in mozilla::HTMLEditRules::TryToJoinBlocksWithTransaction(nsIContent&, nsIContent&) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:3339:9
    #18 0x7f96424bda93 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2748:32
    #19 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #20 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #21 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #22 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #23 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #24 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #25 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #26 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #27 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #28 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #29 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #30 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #31 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #32 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #33 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #34 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #35 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #36 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #37 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #38 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #39 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #40 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #41 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #42 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #43 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #44 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #45 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #46 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #47 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #48 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #49 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
    #50 0x7f96424c48a0 in mozilla::HTMLEditRules::WillDeleteSelection(short, short, bool*, bool*) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:2771:14
...truncated...
Flags: in-testsuite?

Could you use preformat block when you write log? (i.e., back quote * 3 before first line and after last line) If so, the lines won't be wrapped and it should be easier to read.

Assignee: nobody → masayuki
Flags: needinfo?(jkratzer)
Priority: -- → P1

Done

Flags: needinfo?(jkratzer)
Status: NEW → ASSIGNED

WSRunObject scans previous and next node of given point/range without
checking editing host boundary. Therefore, its methods may return non-editable
nodes or editable nodes in another editing host. In such cases, HTMLEditRules
is confused.

This patch makes it store editing host at initialization and it check the
boundary. However, the former cost may appear in score of some benchmark
tests, but we shouldn't allow attackers to use this entrance.

See Also: → 1426709
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/de1ede4b54c5
Make WSRunObject stop scanning outside of editing host r=m_kato
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

Comment on attachment 9067323 [details]
Bug 1547897 - Make WSRunObject stop scanning outside of editing host

Beta/Release Uplift Approval Request

  • User impact if declined: Attackers can crash our user's tab with the simple testcase.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This patch just make some points of helper classes of HTMLEditor stop touching outside focused editing host (editinghost means element has contenteditable attribute). So, shouldn't affect to the path handling editing action normally.
  • String changes made/needed: none
Attachment #9067323 - Flags: approval-mozilla-beta?

Comment on attachment 9067323 [details]
Bug 1547897 - Make WSRunObject stop scanning outside of editing host

unless we have evidence of this being an issue in the wild I'd prefer to let it ride the trains.

Attachment #9067323 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.