Closed Bug 1663439 Opened 4 years ago Closed 4 years ago

AddressSanitizer: use-after-poison [@ get] with READ of size 8

Categories

(Core :: Layout: Tables, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED
83 Branch
Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 82+ fixed
firefox80 --- wontfix
firefox81 --- wontfix
firefox82 + verified
firefox83 + verified

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-high, testcase, Whiteboard: [bugmon:confirm][sec-survey][adv-main82+r][adv-esr78.4+r], [wptsync upstream])

Attachments

(5 files)

Found while fuzzing mozilla-central rev d4e11195e398. I'm currently reducing the testcase and will attach it once complete.

==15214==ERROR: AddressSanitizer: use-after-poison on address 0x625000b9ccc0 at pc 0x7f99e94147d0 bp 0x7fff961b3100 sp 0x7fff961b30f8
READ of size 8 at 0x625000b9ccc0 thread T0 (file:// Content)
    #0 0x7f99e94147cf in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7f99e94147cf in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
    #2 0x7f99e94147cf in nsIFrame::StyleDisplay() const /builds/worker/workspace/obj-build/dist/include/nsStyleStructList.h:46:1
    #3 0x7f99ef248a1d in nsTableFrame::PageBreakAfter(nsIFrame*, nsIFrame*) /gecko/layout/tables/nsTableFrame.cpp:230:27
    #4 0x7f99ef26146e in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) /gecko/layout/tables/nsTableFrame.cpp:3054:21
    #5 0x7f99ef25d249 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /gecko/layout/tables/nsTableFrame.cpp:2035:3
    #6 0x7f99ef25b7a4 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/tables/nsTableFrame.cpp:1821:5
    #7 0x7f99eef31847 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1075:14
    #8 0x7f99ef2a25d5 in nsTableWrapperFrame::OuterDoReflowChild(nsPresContext*, nsIFrame*, mozilla::ReflowInput const&, mozilla::ReflowOutput&, nsReflowStatus&) /gecko/layout/tables/nsTableWrapperFrame.cpp:783:3
    #9 0x7f99ef2a3ad6 in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/tables/nsTableWrapperFrame.cpp:936:3
    #10 0x7f99eef04970 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:294:11
    #11 0x7f99eeefb9ad in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3833:11
    #12 0x7f99eeef7f65 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3169:5
    #13 0x7f99eeeeed54 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2707:7
    #14 0x7f99eeee6e56 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1368:3
    #15 0x7f99eef31847 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1075:14
    #16 0x7f99eef3050e in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsCanvasFrame.cpp:749:5
    #17 0x7f99eeed6c01 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1115:14
    #18 0x7f99ef142304 in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageContentFrame.cpp:63:5
    #19 0x7f99eeed6c01 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1115:14
    #20 0x7f99ef1437b8 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /gecko/layout/generic/nsPageFrame.cpp:136:3
    #21 0x7f99ef143d86 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageFrame.cpp:163:13
    #22 0x7f99eef31847 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1075:14
    #23 0x7f99eee98bb7 in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/PrintedSheetFrame.cpp:130:5
    #24 0x7f99eeed6c01 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1115:14
    #25 0x7f99ef14c352 in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageSequenceFrame.cpp:287:5
    #26 0x7f99eef31847 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1075:14
    #27 0x7f99eefc0425 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /gecko/layout/generic/nsGfxScrollFrame.cpp:755:3
    #28 0x7f99eefc1c9d in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /gecko/layout/generic/nsGfxScrollFrame.cpp:879:3
    #29 0x7f99eefc8533 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsGfxScrollFrame.cpp:1277:3
    #30 0x7f99eeed6c01 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1115:14
    #31 0x7f99eeed6284 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/ViewportFrame.cpp:297:7
    #32 0x7f99eecf6c4d in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /gecko/layout/base/PresShell.cpp:9643:11
    #33 0x7f99eed09697 in mozilla::PresShell::ProcessReflowCommands(bool) /gecko/layout/base/PresShell.cpp:9816:24
    #34 0x7f99eed08109 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4239:11
    #35 0x7f99ef637822 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1403:5
    #36 0x7f99ef637822 in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /gecko/layout/printing/nsPrintJob.cpp:1888:14
    #37 0x7f99ef63580a in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) /gecko/layout/printing/nsPrintJob.cpp:1478:3
    #38 0x7f99ef62e22a in nsPrintJob::InitPrintDocConstruction(bool) /gecko/layout/printing/nsPrintJob.cpp:1510:3
    #39 0x7f99ef63ba88 in nsPrintJob::Observe(nsISupports*, char const*, char16_t const*) /gecko/layout/printing/nsPrintJob.cpp:2646:17
    #40 0x7f99f2408be9 in mozilla::embedding::PrintProgressDialogChild::RecvDialogOpened() /gecko/toolkit/components/printingui/ipc/PrintProgressDialogChild.cpp:37:18
    #41 0x7f99e8261fc4 in mozilla::embedding::PPrintProgressDialogChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PPrintProgressDialogChild.cpp:228:28
    #42 0x7f99e7da7ef1 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8796:32
    #43 0x7f99e7b3cb1e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2150:25
    #44 0x7f99e7b38ad4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2074:9
    #45 0x7f99e7b3a8d8 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1922:3
    #46 0x7f99e7b3b3a8 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1953:13
    #47 0x7f99e6837ea9 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:242:16
    #48 0x7f99e68343b7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:512:26
    #49 0x7f99e6832257 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:371:15
    #50 0x7f99e68326ad in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:168:36
    #51 0x7f99e6843ce4 in operator() /gecko/xpcom/threads/TaskController.cpp:86:37
    #52 0x7f99e6843ce4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_5>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #53 0x7f99e6867d04 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
    #54 0x7f99e687248c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #55 0x7f99e7b45744 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:109:5
    #56 0x7f99e7a4a141 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #57 0x7f99e7a4a141 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #58 0x7f99e7a4a141 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #59 0x7f99ee7ad6d7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #60 0x7f99f247583f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #61 0x7f99e7a4a141 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #62 0x7f99e7a4a141 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #63 0x7f99e7a4a141 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #64 0x7f99f2474ddc in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #65 0x5581422948dd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #66 0x558142294d17 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #67 0x7f9a02d5e0b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #68 0x5581421e8279 in _start (/home/worker/builds/m-c-20200904033504-fuzzing-asan-opt/firefox+0x5c279)

0x625000b9ccc0 is located 960 bytes inside of 8192-byte region [0x625000b9c900,0x625000b9e900)
allocated by thread T0 (file:// Content) here:
    #0 0x55814226210d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f99e681b5e0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:171:15
    #2 0x7f99eee51e4e in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:205:25
    #3 0x7f99eee51e4e in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:67:12
    #4 0x7f99eee51e4e in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:71:15
    #5 0x7f99ef29a525 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:259:32
    #6 0x7f99ef29a525 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:251:12
    #7 0x7f99ef29a525 in operator new /gecko/layout/tables/nsTableRowGroupFrame.cpp:1650:1
    #8 0x7f99ef29a525 in NS_NewTableRowGroupFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /gecko/layout/tables/nsTableRowGroupFrame.cpp:1646:10
    #9 0x7f99eed8905e in nsCSSFrameConstructor::ConstructTableRowOrRowGroup(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:1951:16
    #10 0x7f99eed97240 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:3611:16
    #11 0x7f99eed9ecba in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:5652:3
    #12 0x7f99eed87486 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:9438:5
    #13 0x7f99eed88197 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:9603:3
    #14 0x7f99eed86c5e in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:1893:5
    #15 0x7f99eed97240 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:3611:16
    #16 0x7f99eed9ecba in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:5652:3
    #17 0x7f99eed87486 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:9438:5
    #18 0x7f99eed88197 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:9603:3
    #19 0x7f99eed8e2f8 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:10483:3
    #20 0x7f99eed8bb21 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*) /gecko/layout/base/nsCSSFrameConstructor.cpp:2352:5
    #21 0x7f99eeda3a3f in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /gecko/layout/base/nsCSSFrameConstructor.cpp:6956:9
    #22 0x7f99eecf2e57 in mozilla::PresShell::Initialize() /gecko/layout/base/PresShell.cpp:1863:26
    #23 0x7f99ef637726 in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /gecko/layout/printing/nsPrintJob.cpp:1883:3
    #24 0x7f99ef63580a in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) /gecko/layout/printing/nsPrintJob.cpp:1478:3

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
Shadow bytes around the buggy address:
  0x0c4a8016b940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8016b950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8016b960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8016b970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8016b980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a8016b990: 00 00 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7
  0x0c4a8016b9a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00
  0x0c4a8016b9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8016b9c0: 00 00 00 f7 f7 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8016b9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8016b9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==15214==ABORTING
Attached file testcase.html
Attached file prefs.js
Flags: in-testsuite?
Group: core-security → layout-core-security

Nice, so happy we can fuzz the printing code now!

Flags: needinfo?(emilio)
Keywords: sec-high
Assignee: nobody → emilio
Flags: needinfo?(emilio)

This causes an assertion when printing the test-case, though it turns
out not to be the cause of the bug in the end. Still seems worth fixing,
and will be tested by the test in the following patch.

As the reflow may destroy the next-in-flow. See existing code.

Depends on D90145

Depends on D90146

Comment on attachment 9175594 [details]
Bug 1663439 - Re-order rowgroups if reflowing a tfoot with an already split next-in-flow. r=TYlin

Beta/Release Uplift Approval Request

  • User impact if declined:
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String changes made/needed:

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined:
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String or UUID changes made by this patch:

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not too easily, but not impossible either... This is mitigated by frame poisoning.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Fix should apply cleanly
  • How likely is this patch to cause regressions; how much testing does it need?: not likely
Attachment #9175594 - Flags: sec-approval?
Attachment #9175594 - Flags: approval-mozilla-esr78?
Attachment #9175594 - Flags: approval-mozilla-beta?
Attachment #9175593 - Flags: approval-mozilla-beta?
Attachment #9175593 - Flags: sec-approval?

Comment on attachment 9175593 [details]
Bug 1663439 - Avoid negative avail bsizes in paginated table reflow. r=TYLin

Approved to land and uplift. I wonder if this should go to ESR also just to have consistency in the branches?

Attachment #9175593 - Flags: sec-approval?
Attachment #9175593 - Flags: sec-approval+
Attachment #9175593 - Flags: approval-mozilla-beta?
Attachment #9175593 - Flags: approval-mozilla-beta+

Comment on attachment 9175594 [details]
Bug 1663439 - Re-order rowgroups if reflowing a tfoot with an already split next-in-flow. r=TYlin

Approved to land and uplift

Attachment #9175594 - Flags: sec-approval?
Attachment #9175594 - Flags: sec-approval+
Attachment #9175594 - Flags: approval-mozilla-esr78?
Attachment #9175594 - Flags: approval-mozilla-esr78+
Attachment #9175594 - Flags: approval-mozilla-beta?
Attachment #9175594 - Flags: approval-mozilla-beta+

Comment on attachment 9175593 [details]
Bug 1663439 - Avoid negative avail bsizes in paginated table reflow. r=TYLin

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: See comment 8
  • User impact if declined: Probably layout weirdness.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple fix to avoid negative sizes during paged reflow.
  • String or UUID changes made by this patch: none
Attachment #9175593 - Flags: approval-mozilla-esr78?
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

I was able to reproduce this crash by using the test case from comment 1, on an affected Nightly asan build from 2020-09-07.

The crash is not reproducing anymore with the attached test case, when hitting the print button, on the latest asan builds: Beta 82.0b2 (20200922141418) and 83.0a1 (20200923095909) running Ubuntu 18.04 x64.

Status: RESOLVED → VERIFIED
Flags: qe-verify+

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(emilio)
Whiteboard: [bugmon:confirm] → [bugmon:confirm][sec-survey]

Done

Flags: needinfo?(emilio)
Attachment #9175593 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
Whiteboard: [bugmon:confirm][sec-survey] → [bugmon:confirm][sec-survey][adv-main82+r]
Whiteboard: [bugmon:confirm][sec-survey][adv-main82+r] → [bugmon:confirm][sec-survey][adv-main82+r][adv-esr78.4+r]
Group: core-security-release

I don't think this test ever landed... (Sorry Emilio, I know I keep bugging you about ages-old things!)

Flags: needinfo?(emilio)

No worries, thanks for the ping!

Flags: needinfo?(emilio)
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/34346 for changes under testing/web-platform/tests
Whiteboard: [bugmon:confirm][sec-survey][adv-main82+r][adv-esr78.4+r] → [bugmon:confirm][sec-survey][adv-main82+r][adv-esr78.4+r], [wptsync upstream]
Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/c5d74a64aa20
Add a spec link to keep linter happy.
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: