Closed Bug 1591334 Opened 5 years ago Closed 5 years ago

heap-use-after-free in SetOnstorage

Categories

(Core :: Privacy: Anti-Tracking, defect)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
72 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox-esr68 71+ fixed
firefox70 --- wontfix
firefox71 + fixed
firefox72 + fixed

People

(Reporter: nils, Assigned: smaug)

References

Details

(4 keywords, Whiteboard: [adv-main71+][adv-esr68.3+])

Attachments

(2 files)

Bug 1591334, use faster access to the existing doc in antitracking reporting,r=baku
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr68+
tjr
: sec-approval+
Details | Review
advisory.txt
254 bytes, text/plain
Details

This crash happens regularly while fuzzing an ASAN build of Firefox. It looks similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1581084 , however it appears to have a different root cause.

==7681==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d0015973ab at pc 0x7fa664804962 bp 0x7ffe1f849af0 sp 0x7ffe1f849ae8
READ of size 1 at 0x61d0015973ab thread T0 (Web Content)
    #0 0x7fa664804961 in mozilla::EventListenerManager::SetEventHandlerInternal(nsAtom*, mozilla::TypedEventHandler const&, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:751:30
    #1 0x7fa66480fc57 in mozilla::EventListenerManager::SetEventHandler(nsAtom*, mozilla::dom::EventHandlerNonNull*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1530:3
    #2 0x7fa66355e7dc in SetOnstorage /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventNameList.h:315:1
    #3 0x7fa66355e7dc in mozilla::dom::Window_Binding::set_onstorage(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:17747:24
    #4 0x7fa66407413d in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3146:8
    #5 0x7fa66abbef99 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:458:13
    #6 0x7fa66abbef99 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:550:12
    #7 0x7fa66abc5161 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:619:10
    #8 0x7fa66abc5161 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:636:8
    #9 0x7fa66abc5161 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:774:10
    #10 0x7fa66b2ec273 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2943:8
    #11 0x7fa66b2e50cd in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2972:14
    #12 0x7fa66aef5597 in SetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:283:10
    #13 0x7fa66aef5597 in js::ForwardingProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:149:10
    #14 0x7fa661560100 in nsOuterWindowProxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:944:23
    #15 0x7fa66aed3725 in setInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:395:19
    #16 0x7fa66aed3725 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:403:10
    #17 0x7fa66ab9db69 in SetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:280:12
    #18 0x7fa66ab9db69 in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:270:10
    #19 0x7fa66ab9db69 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2875:12
    #20 0x7fa66ab8997a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #21 0x7fa66abc598f in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:812:13
    #22 0x7fa66aca5b5d in js::DirectEvalStringFromIon(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JSString*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:426:10
    #23 0x207208d326ac  (<unknown module>)

0x61d0015973ab is located 1323 bytes inside of 2048-byte region [0x61d001596e80,0x61d001597680)
freed by thread T0 (Web Content) here:
    #0 0x55b307c17f4d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7fa65d3f5486 in Free /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:198:34
    #2 0x7fa65d3f5486 in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::ShrinkCapacity(unsigned long, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:229:5
    #3 0x7fa6647fdc19 in Clear /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTObserverArray.h:248:12
    #4 0x7fa6647fdc19 in RemoveAllListenersSilently /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:148:14
    #5 0x7fa6647fdc19 in mozilla::EventListenerManager::Disconnect() /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1316:3
    #6 0x7fa661506c50 in nsGlobalWindowInner::FreeInnerObjects() /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:1103:23
    #7 0x7fa66156aab3 in nsGlobalWindowOuter::SetNewDocument(mozilla::dom::Document*, nsISupports*, bool, mozilla::dom::WindowGlobalChild*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:2231:19
    #8 0x7fa667110a6a in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:983:22
    #9 0x7fa66710fe1a in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::WindowGlobalChild*) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:743:10
    #10 0x7fa669d1e700 in nsDocShell::SetupNewViewer(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8379:7
    #11 0x7fa669d1d609 in nsDocShell::Embed(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6154:17
    #12 0x7fa669d28cab in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*, nsIURI*, bool, bool, mozilla::dom::WindowGlobalChild*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6991:14
    #13 0x7fa669cd39ba in nsDocShell::EnsureContentViewer() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6826:17
    #14 0x7fa669d00e07 in GetDocument /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:3624:3
    #15 0x7fa669d00e07 in non-virtual thunk to nsDocShell::GetDocument() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #16 0x7fa66158e471 in nsGlobalWindowOuter::NotifyContentBlockingEvent(unsigned int, nsIChannel*, bool, nsIURI*, nsIChannel*, mozilla::Maybe<mozilla::AntiTrackingCommon::StorageAccessGrantedReason> const&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5404:38
    #17 0x7fa66a3418c1 in (anonymous namespace)::NotifyBlockingDecisionInternal(nsIChannel*, nsIChannel*, mozilla::AntiTrackingCommon::BlockingDecision, unsigned int, nsIURI*, nsPIDOMWindowOuter*) /builds/worker/workspace/build/src/toolkit/components/antitracking/AntiTrackingCommon.cpp:892:12
    #18 0x7fa66a32d81a in mozilla::AntiTrackingCommon::NotifyBlockingDecision(nsPIDOMWindowInner*, mozilla::AntiTrackingCommon::BlockingDecision, unsigned int) /builds/worker/workspace/build/src/toolkit/components/antitracking/AntiTrackingCommon.cpp:2126:3
    #19 0x7fa66a345c35 in mozilla::StorageDisabledByAntiTracking(nsPIDOMWindowInner*, nsIChannel*, nsIPrincipal*, nsIURI*, unsigned int&) /builds/worker/workspace/build/src/toolkit/components/antitracking/StorageAccess.cpp:300:5
    #20 0x7fa66a344886 in InternalStorageAllowedCheck(nsIPrincipal*, nsPIDOMWindowInner*, nsIURI*, nsIChannel*, nsICookieSettings*, unsigned int&) /builds/worker/workspace/build/src/toolkit/components/antitracking/StorageAccess.cpp:141:8
    #21 0x7fa66a34439f in mozilla::StorageAllowedForWindow(nsPIDOMWindowInner*, unsigned int*) /builds/worker/workspace/build/src/toolkit/components/antitracking/StorageAccess.cpp:207:12
    #22 0x7fa66153685e in nsGlobalWindowInner::GetLocalStorage(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:4544:26
    #23 0x7fa661546fcc in nsGlobalWindowInner::EventListenerAdded(nsAtom*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:6100:5
    #24 0x7fa6648048a5 in mozilla::EventListenerManager::SetEventHandlerInternal(nsAtom*, mozilla::TypedEventHandler const&, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:743:16
    #25 0x7fa66480fc57 in mozilla::EventListenerManager::SetEventHandler(nsAtom*, mozilla::dom::EventHandlerNonNull*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1530:3
    #26 0x7fa66355e7dc in SetOnstorage /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventNameList.h:315:1
    #27 0x7fa66355e7dc in mozilla::dom::Window_Binding::set_onstorage(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:17747:24
    #28 0x7fa66407413d in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3146:8
    #29 0x7fa66abbef99 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:458:13
    #30 0x7fa66abbef99 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:550:12
    #31 0x7fa66abc5161 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:619:10
    #32 0x7fa66abc5161 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:636:8
    #33 0x7fa66abc5161 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:774:10
    #34 0x7fa66b2ec273 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2943:8
    #35 0x7fa66b2e50cd in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2972:14
    #36 0x7fa66aef5597 in SetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:283:10
    #37 0x7fa66aef5597 in js::ForwardingProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:149:10
    #38 0x7fa661560100 in nsOuterWindowProxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:944:23

previously allocated by thread T0 (Web Content) here:
    #0 0x55b307c184e9 in realloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:164:3
    #1 0x55b307c4d75d in moz_xrealloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:72:18
    #2 0x7fa65d3f4329 in Realloc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:205:12
    #3 0x7fa65d3f4329 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:191:35
    #4 0x7fa6647fe1e2 in ExtendCapacity<nsTArrayInfallibleAllocator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:117:16
    #5 0x7fa6647fe1e2 in AppendElements<nsTArrayInfallibleAllocator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1694:49
    #6 0x7fa6647fe1e2 in AppendElement<nsTArrayInfallibleAllocator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1719:12
    #7 0x7fa6647fe1e2 in AppendElement /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTObserverArray.h:192:46
    #8 0x7fa6647fe1e2 in mozilla::EventListenerManager::AddEventListenerInternal(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, mozilla::EventMessage, nsAtom*, mozilla::EventListenerFlags const&, bool, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:237:63
    #9 0x7fa6648043ca in mozilla::EventListenerManager::SetEventHandlerInternal(nsAtom*, mozilla::TypedEventHandler const&, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:729:5
    #10 0x7fa66480fc57 in mozilla::EventListenerManager::SetEventHandler(nsAtom*, mozilla::dom::EventHandlerNonNull*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1530:3
    #11 0x7fa6635529fc in SetOnafterprint /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventNameList.h:276:1
    #12 0x7fa6635529fc in mozilla::dom::Window_Binding::set_onafterprint(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:16694:24
    #13 0x7fa66407413d in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3146:8
    #14 0x7fa66abbef99 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:458:13
    #15 0x7fa66abbef99 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:550:12
    #16 0x7fa66abc5161 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:619:10
    #17 0x7fa66abc5161 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:636:8
    #18 0x7fa66abc5161 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:774:10
    #19 0x7fa66b2ec273 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2943:8
    #20 0x7fa66b2e50cd in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2972:14
    #21 0x7fa66aef5597 in SetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:283:10
    #22 0x7fa66aef5597 in js::ForwardingProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:149:10
    #23 0x7fa661560100 in nsOuterWindowProxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:944:23
    #24 0x7fa66aed3725 in setInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:395:19
    #25 0x7fa66aed3725 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:403:10
    #26 0x7fa66ab9db69 in SetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:280:12
    #27 0x7fa66ab9db69 in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:270:10
    #28 0x7fa66ab9db69 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2875:12
    #29 0x7fa66ab8997a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
    #30 0x7fa66abc598f in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:812:13
    #31 0x7fa66aca5b5d in js::DirectEvalStringFromIon(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JSString*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:426:10
    #32 0x207208d326ac  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:751:30 in mozilla::EventListenerManager::SetEventHandlerInternal(nsAtom*, mozilla::TypedEventHandler const&, bool)
Shadow bytes around the buggy address:
  0x0c3a802aae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a802aae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a802aae40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a802aae50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a802aae60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3a802aae70: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c3a802aae80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a802aae90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a802aaea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a802aaeb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a802aaec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7681==ABORTING
Group: core-security → dom-core-security

Could you please take a look, Olli? Thanks.

Flags: needinfo?(bugs)
See Also: → CVE-2019-17010

Yeah, I've been looking at this, as part of bug 1591335.
The patch will be a guess fix, or partial is perhaps better way to say, since we don't have STR.

Assignee: nobody → bugs
Flags: needinfo?(bugs)

(The patch is based on code inspection, but I'd still very much would like to get answer to https://bugzilla.mozilla.org/show_bug.cgi?id=1581084#c12)

Comment on attachment 9104548 [details]
Bug 1591334, use faster access to the existing doc in antitracking reporting,r=baku

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not very easily, since we don't even have a way to reproduce the asan failure.
    Note, the fix is based on the stack trace only.

When evaluating when to land the patch, see also bug 1581084.

  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: Maybe all?
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: (the patch seems to apply cleanly to esr68)
  • How likely is this patch to cause regressions; how much testing does it need?: Shouldn't cause regressions too likely
Attachment #9104548 - Flags: sec-approval?

Comment on attachment 9104548 [details]
Bug 1591334, use faster access to the existing doc in antitracking reporting,r=baku

Low risk of exploitation, let's land the two now and see if it fixes Nils' stuff. Send in an uplift request when you think prudent.

Attachment #9104548 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/integration/autoland/rev/ae7103e15afdd30a2848da6b0f42e640337da96d
https://hg.mozilla.org/mozilla-central/rev/ae7103e15afd

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72

Please nominate this for Beta and ESR68 approval when you get a chance.

status-firefox70: --- → wontfix
status-firefox71: --- → affected
status-firefox-esr68: --- → affected
tracking-firefox71: --- → +
tracking-firefox72: --- → +
tracking-firefox-esr68: --- → 71+
Flags: needinfo?(bugs)

Comment on attachment 9104548 [details]
Bug 1591334, use faster access to the existing doc in antitracking reporting,r=baku

Beta/Release Uplift Approval Request

  • User impact if declined: crashes
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: NA. The fix is based on stack trace, no test available.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Window object really should have document object when the relevant code runs, so in normally nothing changes.
    In the unexpected case we just don't notify about content blocking event.
  • String changes made/needed: NA

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: crashes
  • User impact if declined: crashes
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Window object really should have document object when the relevant code runs, so in normally nothing changes.
    In the unexpected case we just don't notify about content blocking event.
  • String or UUID changes made by this patch: NA
Flags: needinfo?(bugs)
Attachment #9104548 - Flags: approval-mozilla-esr68?
Attachment #9104548 - Flags: approval-mozilla-beta?

Comment on attachment 9104548 [details]
Bug 1591334, use faster access to the existing doc in antitracking reporting,r=baku

Sec-moderate landed on nightly, uplift approved for 71 beta 8, thanks.

Attachment #9104548 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9104548 [details]
Bug 1591334, use faster access to the existing doc in antitracking reporting,r=baku

Fixes a sec issue. Approved for 68.3esr.

Attachment #9104548 - Flags: approval-mozilla-esr68? → approval-mozilla-esr68+
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Whiteboard: [adv-main71+]
Attached file advisory.txt
Whiteboard: [adv-main71+] → [adv-main71+][adv-esr68.3+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: