Closed Bug 1574101 Opened 5 years ago Closed 5 years ago

heap-use-after-free in mozilla::ReflowInput::InitAbsoluteConstraints

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Version:
70 Branch
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- verified
firefox71 --- verified

People

(Reporter: nils, Assigned: emilio)

References

(Regression)

Details

(5 keywords, Whiteboard: [fuzzblocker][post-critsmash-triage])

Attachments

(3 files)

crash.html (minimised testcase)
484 bytes, text/html
Details
alt_testcast.html
154 bytes, text/html
Details
Bug 1574101 - Use the right parent frame for `block ruby` if it's out of flow. r=mats
47 bytes, text/x-phabricator-request
Details | Review

heap-use-after-free in mozilla::ReflowInput::InitAbsoluteConstraints

The following testcase crashes the latest ASAN build of Firefox 70.0a1 (BuildID=20190814215752).

crash.html:
<script>
function start() {
document.documentElement.style.transform='scale(0.00001)';
o219=document.createElement('hr');
o219.style.display='ruby';
o637=document.createElement('summary');
o637.appendChild(o219);
o663=document.createElement('details');
o663.appendChild(o637);
document.documentElement.appendChild(o663);
o219.style.position='absolute';
o866=document.documentElement.getBoxQuads();
o663.style.position='fixed';
}
</script>
<body onload="start()"></body>

ASAN output:

==2237==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000271148 at pc 0x7f94ed057fb4 bp 0x7fffab8fa330 sp 0x7fffab8fa328
READ of size 8 at 0x606000271148 thread T0 (file:// Content)
#0 0x7f94ed057fb3 in Equals /builds/worker/workspace/build/src/layout/base/FrameProperties.h:361:16
#1 0x7f94ed057fb3 in Equals<const mozilla::FrameProperties::PropertyValue, const mozilla::FramePropertyDescriptorUntyped const> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:819
#2 0x7f94ed057fb3 in ApplyIf<const mozilla::FramePropertyDescriptorUntyped , mozilla::FrameProperties::PropertyComparator, (lambda at /builds/worker/workspace/build/src/layout/base/FrameProperties.h:374:7), (lambda at /builds/worker/workspace/build/src/layout/base/FrameProperties.h:380:7)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1939
#3 0x7f94ed057fb3 in GetInternal /builds/worker/workspace/build/src/layout/base/FrameProperties.h:372
#4 0x7f94ed057fb3 in Get<nsPlaceholderFrame> /builds/worker/workspace/build/src/layout/base/FrameProperties.h:213
#5 0x7f94ed057fb3 in GetProperty<nsPlaceholderFrame> /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3625
#6 0x7f94ed057fb3 in GetPlaceholderFrame /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:880
#7 0x7f94ed057fb3 in mozilla::ReflowInput::InitAbsoluteConstraints(nsPresContext, mozilla::ReflowInput const, mozilla::LogicalSize const&, mozilla::LayoutFrameType) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:1595
#8 0x7f94ed04c53f in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2370:7
#9 0x7f94ed045909 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:353:3
#10 0x7f94ed088afa in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) /builds/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:707:15
#11 0x7f94ed0863fc in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) /builds/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:212:7
#12 0x7f94ed099b5e in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1522:26
#13 0x7f94ed0ef7f7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:896:14
#14 0x7f94ed0ee341 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:729:5
#15 0x7f94ed0ef7f7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:896:14
#16 0x7f94ed1f60cd in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:644:3
#17 0x7f94ed1f7281 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:758:3
#18 0x7f94ed1fcabd in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1160:3
#19 0x7f94ed084ccc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:936:14
#20 0x7f94ed083cac in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:309:7
#21 0x7f94ece58a04 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9229:11
#22 0x7f94ece728b3 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9399:24
#23 0x7f94ece6fe2a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4166:11
#24 0x7f94ecdf830c in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/PresShell.h:1445:5
#25 0x7f94ecdf830c in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2016
#26 0x7f94ece097bf in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:372:13
#27 0x7f94ece097bf in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:349
#28 0x7f94ece09180 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:366:5
#29 0x7f94ece0ca43 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:814:5
#30 0x7f94ece0ca43 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:734
#31 0x7f94ece0bd0c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:629:9
#32 0x7f94ed6f17eb in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:65:16
#33 0x7f94e539c535 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
#34 0x7f94e4eeb633 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5637:32
#35 0x7f94e4755336 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2184:25
#36 0x7f94e475009b in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2108:9
#37 0x7f94e4752657 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1955:3
#38 0x7f94e47534e7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1986:13
#39 0x7f94e35680f0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
#40 0x7f94e356e508 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#41 0x7f94e475e714 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:110:5
#42 0x7f94e465ba82 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#43 0x7f94e465ba82 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#44 0x7f94e465ba82 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#45 0x7f94ec875c99 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#46 0x7f94f076dacf in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
#47 0x7f94e465ba82 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#48 0x7f94e465ba82 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#49 0x7f94e465ba82 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#50 0x7f94f076d376 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
#51 0x56304c9a4f13 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#52 0x56304c9a4f13 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
#53 0x7f950501bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#54 0x56304c8c644c in _start (/home/nils/browser/firefox/firefox/firefox+0x4544c)

0x606000271148 is located 8 bytes to the right of 64-byte region [0x606000271100,0x606000271140)
allocated by thread T0 (file:// Content) here:
#0 0x56304c97227f in __interceptor_realloc /builds/worker/workspace/build/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:165:3
#1 0x56304c9a6dbd in moz_xrealloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:72:18
#2 0x7f94e32fe6a9 in Realloc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:204:12
#3 0x7f94e32fe6a9 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:191
#4 0x7f94ed046976 in AppendElement<mozilla::FrameProperties::PropertyValue, nsTArrayInfallibleAllocator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2393:47
#5 0x7f94ed046976 in AddInternal /builds/worker/workspace/build/src/layout/base/FrameProperties.h:407
#6 0x7f94ed046976 in Add<nsMargin> /builds/worker/workspace/build/src/layout/base/FrameProperties.h:171
#7 0x7f94ed046976 in AddProperty<nsMargin> /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3645
#8 0x7f94ed046976 in UpdateProp /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2501
#9 0x7f94ed046976 in mozilla::SizeComputationInput::InitOffsets(mozilla::WritingMode, int, mozilla::LayoutFrameType, mozilla::SizeComputationInput::ReflowInputFlags, nsMargin const*, nsMargin const*, nsStyleDisplay const*) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2530
#10 0x7f94ed04bdf4 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2246:5
#11 0x7f94ed045909 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:353:3
#12 0x7f94ed088afa in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) /builds/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:707:15
#13 0x7f94ed0863fc in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) /builds/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:212:7
#14 0x7f94ed099b5e in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1522:26
#15 0x7f94ed0ef7f7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:896:14
#16 0x7f94ed0ee341 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:729:5
#17 0x7f94ed0ef7f7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:896:14
#18 0x7f94ed1f60cd in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:644:3
#19 0x7f94ed1f7281 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:758:3
#20 0x7f94ed1fcabd in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1160:3
#21 0x7f94ed084ccc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:936:14
#22 0x7f94ed083cac in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:309:7
#23 0x7f94ece58a04 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9229:11
#24 0x7f94ece728b3 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9399:24
#25 0x7f94ece6fe2a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4166:11
#26 0x7f94e7604059 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/PresShell.h:1445:5
#27 0x7f94e7604059 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/dom/base/Document.cpp:9963
#28 0x7f94ece377a8 in GetFrameForNode /builds/worker/workspace/build/src/layout/base/GeometryUtils.cpp:42:8
#29 0x7f94ece377a8 in GetFrameForNode /builds/worker/workspace/build/src/layout/base/GeometryUtils.cpp:88
#30 0x7f94ece377a8 in mozilla::GetBoxQuads(nsINode*, mozilla::dom::BoxQuadOptions const&, nsTArray<RefPtr<mozilla::dom::DOMQuad> >&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/layout/base/GeometryUtils.cpp:248
#31 0x7f94e982fc2b in mozilla::dom::Element_Binding::getBoxQuads(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:5422:24
#32 0x7f94e9e9e42d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3163:13
#33 0x7f94f0a256f7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:13
#34 0x7f94f0a256f7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:539
#35 0x7f94f0a0dfb3 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:598:10
#36 0x7f94f0a0dfb3 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#37 0x7f94f09efc1f in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
#38 0x7f94f0a261ff in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:567:13
#39 0x7f94f0a28422 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610:8
#40 0x7f94f1534748 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2725:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/layout/base/FrameProperties.h:361:16 in Equals
Shadow bytes around the buggy address:
0x0c0c800461d0: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c800461e0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c800461f0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c80046200: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c80046210: fa fa fa fa 00 00 00 00 00 00 01 fa fa fa fa fa
=>0x0c0c80046220: 00 00 00 00 00 00 00 00 fa[fa]fa fa fd fd fd fd
0x0c0c80046230: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c80046240: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c80046250: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0c80046260: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c80046270: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2237==ABORTING

Group: core-security → layout-core-security

Seems many of the fuzzers started hitting this (and variations) overnight.

Severity: normal → critical
Flags: in-testsuite?
Keywords: crash, csectype-uaf, testcase
Whiteboard: [fuzzblocker]

Mats: is this fallout from bug 1105868 you landed yesterday? Multiple fuzzers are crashing overnight.

Flags: needinfo?(mats)
Keywords: sec-high

These are hitting the block ruby codepath added in bug 1557825. I think I have a fix.

Assignee: nobody → emilio
Keywords: sec-high
Priority: -- → P1
Regressed by: 1557825
Keywords: regression

err, sorry, mid-aired

Keywords: sec-high

I should've caught this when reviewing, in fairness.

Flags: needinfo?(mats)

I'm pretty sure earlier versions are unaffected, since this was a regression from bug 1557825 which has only landed on mozilla-central (yesterday) and isn't intended for uplift to anywhere else.

--> setting status flags accordingly

status-firefox68: --- → unaffected
status-firefox69: --- → unaffected
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected

Autoland failed:

Details: We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again. applying /tmp/tmpHFCUEr layout/base/crashtests/crashtests.list Hunk #1 FAILED at 576. 1 out of 1 hunk FAILED -- saving rejects to file layout/base/crashtests/crashtests.list.rej abort: patch command failed: exited with status 256

Flags: needinfo?(emilio)

Never mind, I was able to rebase it myself. Hopefully autoland will succeed now.

Flags: needinfo?(emilio)

Landed: https://hg.mozilla.org/integration/autoland/rev/4d8eb840fc2eaa37f6e75e5a5f2e8863beeccf19

As part of the rebase (actually, as part of my initial moz-phab patch import before any rebasing), mercurial automatically did a bunch of clang-format fixup to nsCSSFrameConstructor.cpp without me noticing, so those reformatting changes leaked into the commit -- sorry about that. That seems to have been latent clang-format issues from bug 1038294, as noted in bug 1038294 comment 37.

I'm having that^ commit backed out so I can land the reformatting (for this file & other files) separately via bug 1574310, and then I'll reland.

Attachment #9085805 - Attachment description: Bug 1574101 - Use the right parent frame for `block ruby` if it's out of flow. → Bug 1574101 - Use the right parent frame for `block ruby` if it's out of flow. r=mats

https://hg.mozilla.org/mozilla-central/rev/9798b876061e

Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Flags: in-testsuite? → in-testsuite+
Flags: qe-verify+
Whiteboard: [fuzzblocker] → [fuzzblocker][post-critsmash-triage]

Verified as fixed on Firefox 71.0a1 (2019-09-03) ASAN Build (Build ID: 20190903094847) on Windows 10 x64, Ubuntu 18.04 and Mac OS X 10.14.
Verified on Firefox 70.0b3 ASAN Build (Build ID: 20190902191027) on Ubuntu 18.04 and Mac OS X 10.14 and verified on Firefox 70.0a1 (2019-08-23) ASAN Build on Windows 10 x64.

Status: RESOLVED → VERIFIED
status-firefox70: fixedverified
status-firefox71: --- → verified
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+

Hurts a little to pay a bounty on a nightly regression that our own tools also found, but didn't get filed until a few hours later because the earth is round. We are considering policy changes that would consider bugs filed within hours of each other (8? 12? 24?) a "tie" and split the bounty rather than our current strict "first to file" policy. That cuts both ways though. Maybe we just need to get better automatic-filing tools in our fuzz cluster.

Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: