use-after-poison in nsIFrame::StyleDisplay
Categories
(Core :: Layout: Columns, defect)
Tracking
()
People
(Reporter: attekett, Unassigned)
References
Details
(Keywords: crash, csectype-framepoisoning, sec-low)
Attachments
(1 file)
Security impact of this issue is probably mitigated by frame-poisoning, but reporting just to be sure.
Stack trace looks similar to: https://bugzilla.mozilla.org/show_bug.cgi?id=1703999
but the repro-file from that issue doesn't reproduce for me, so I guess that that issue is already fixed.
Tested on:
OS: Ubuntu 20.04
Firefox: fuzzfetch downloaded
$ fuzzfetch --target firefox --os Linux --asan --fuzzing -n firefox [2021-12-30 05:14:40] Identified task: https://firefox-ci-tc.services.mozilla.com/api/index/v1/task/gecko.v2.mozilla-central.latest.firefox.linux64-fuzzing-asan-opt [2021-12-30 05:14:40] > Task ID: TQ0BTqxzQ4ShRWAN8gFTgA [2021-12-30 05:14:40] > Rank: 1640858255 [2021-12-30 05:14:40] > Changeset: 7f35691449503894cad6e0513bbdfdce7f3a6b09 [2021-12-30 05:14:40] > Build ID: 20211230095735 [2021-12-30 05:14:42] > Downloading: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/TQ0BTqxzQ4ShRWAN8gFTgA/artifacts/public/build/target.tar.bz2 (429.57MiB total)
No assert, or additional info, from debug build console outputs.
ASAN-trace:
==32554==ERROR: AddressSanitizer: use-after-poison on address 0x6250001eca10 at pc 0x7fd1f7307180 bp 0x7ffc7a20ac40 sp 0x7ffc7a20ac38
READ of size 8 at 0x6250001eca10 thread T0 (Isolated Web Co)
#0 0x7fd1f730717f in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
#1 0x7fd1f730717f in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
#2 0x7fd1f730717f in nsIFrame::StyleDisplay() const /builds/worker/workspace/obj-build/dist/include/nsStyleStructList.h:46:1
#3 0x7fd1fd2072b9 in nsFloatManager::GetFlowArea(mozilla::WritingMode, int, int, nsFloatManager::BandInfoType, nsFloatManager::ShapeType, mozilla::LogicalRect, nsFloatManager::SavedState*, nsSize const&) const /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:199:42
#4 0x7fd1fd1267f8 in mozilla::BlockReflowInput::GetFloatAvailableSpaceWithState(int, nsFloatManager::ShapeType, nsFloatManager::SavedState*) const /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:296:43
#5 0x7fd1fd127cc4 in GetFloatAvailableSpace /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.h:118:12
#6 0x7fd1fd127cc4 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:569:36
#7 0x7fd1fd3b4b93 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:919:25
#8 0x7fd1fd19f5c1 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4565:15
#9 0x7fd1fd19e5cd in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4367:5
#10 0x7fd1fd19784e in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4252:9
...
#118 0x55d7e907e4b8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#119 0x7fd218b060b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#120 0x55d7e8fcd159 in _start (/home/attekett/Downloads/firefox/firefox+0x5d159)
0x6250001eca10 is located 272 bytes inside of 8192-byte region [0x6250001ec900,0x6250001ee900)
allocated by thread T0 (Isolated Web Co) here:
#0 0x55d7e904972d in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x7fd1f4701e70 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
#2 0x7fd1fd0fef6d in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
#3 0x7fd1fd0fef6d in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
#4 0x7fd1fd0fef6d in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
#5 0x7fd1fd17a9a5 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:280:32
#6 0x7fd1fd17a9a5 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:272:12
#7 0x7fd1fd17a9a5 in operator new /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:440:1
#8 0x7fd1fd17a9a5 in NS_NewBlockFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:430:10
#9 0x7fd1fd065b7d in nsCSSFrameConstructor::CreateContinuingFrame(nsIFrame*, nsContainerFrame*, bool) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8007:16
...
#33 0x7fd1fd181c39 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1394:3
#34 0x7fd1fd19c132 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
Shadow bytes around the buggy address:
....
==32554==ABORTING
Updated•3 years ago
|
Updated•3 years ago
|
Comment 1•3 years ago
|
||
The severity field is not set for this bug.
:jfkthame, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 2•3 years ago
|
||
Yeah, looks like we're dereferencing a frame that has been destroyed (and filled with poison values), the this
pointer in the nsIFrame::StyleDisplay
call.
Frame-poisoning means this is likely not-exploitable; hence, calling this S3, and I think we can remove the security-sensitive flag to open this up.
Description
•