Open Bug 1747992 Opened 3 years ago Updated 3 years ago

use-after-poison in nsIFrame::StyleDisplay

Categories

(Core :: Layout: Columns, defect)

defect

Tracking

()

People

(Reporter: attekett, Unassigned)

References

Details

(Keywords: crash, csectype-framepoisoning, sec-low)

Attachments

(1 file)

Security impact of this issue is probably mitigated by frame-poisoning, but reporting just to be sure.

Stack trace looks similar to: https://bugzilla.mozilla.org/show_bug.cgi?id=1703999
but the repro-file from that issue doesn't reproduce for me, so I guess that that issue is already fixed.

Tested on:
OS: Ubuntu 20.04
Firefox: fuzzfetch downloaded
$ fuzzfetch --target firefox --os Linux --asan --fuzzing -n firefox [2021-12-30 05:14:40] Identified task: https://firefox-ci-tc.services.mozilla.com/api/index/v1/task/gecko.v2.mozilla-central.latest.firefox.linux64-fuzzing-asan-opt [2021-12-30 05:14:40] > Task ID: TQ0BTqxzQ4ShRWAN8gFTgA [2021-12-30 05:14:40] > Rank: 1640858255 [2021-12-30 05:14:40] > Changeset: 7f35691449503894cad6e0513bbdfdce7f3a6b09 [2021-12-30 05:14:40] > Build ID: 20211230095735 [2021-12-30 05:14:42] > Downloading: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/TQ0BTqxzQ4ShRWAN8gFTgA/artifacts/public/build/target.tar.bz2 (429.57MiB total)
No assert, or additional info, from debug build console outputs.

ASAN-trace:

==32554==ERROR: AddressSanitizer: use-after-poison on address 0x6250001eca10 at pc 0x7fd1f7307180 bp 0x7ffc7a20ac40 sp 0x7ffc7a20ac38
READ of size 8 at 0x6250001eca10 thread T0 (Isolated Web Co)
    #0 0x7fd1f730717f in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7fd1f730717f in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
    #2 0x7fd1f730717f in nsIFrame::StyleDisplay() const /builds/worker/workspace/obj-build/dist/include/nsStyleStructList.h:46:1
    #3 0x7fd1fd2072b9 in nsFloatManager::GetFlowArea(mozilla::WritingMode, int, int, nsFloatManager::BandInfoType, nsFloatManager::ShapeType, mozilla::LogicalRect, nsFloatManager::SavedState*, nsSize const&) const /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:199:42
    #4 0x7fd1fd1267f8 in mozilla::BlockReflowInput::GetFloatAvailableSpaceWithState(int, nsFloatManager::ShapeType, nsFloatManager::SavedState*) const /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:296:43
    #5 0x7fd1fd127cc4 in GetFloatAvailableSpace /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.h:118:12
    #6 0x7fd1fd127cc4 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/checkouts/gecko/layout/generic/BlockReflowInput.cpp:569:36
    #7 0x7fd1fd3b4b93 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:919:25
    #8 0x7fd1fd19f5c1 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4565:15
    #9 0x7fd1fd19e5cd in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4367:5
    #10 0x7fd1fd19784e in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4252:9
    ...
    #118 0x55d7e907e4b8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
    #119 0x7fd218b060b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #120 0x55d7e8fcd159 in _start (/home/attekett/Downloads/firefox/firefox+0x5d159)

0x6250001eca10 is located 272 bytes inside of 8192-byte region [0x6250001ec900,0x6250001ee900)
allocated by thread T0 (Isolated Web Co) here:
    #0 0x55d7e904972d in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
    #1 0x7fd1f4701e70 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
    #2 0x7fd1fd0fef6d in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
    #3 0x7fd1fd0fef6d in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
    #4 0x7fd1fd0fef6d in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
    #5 0x7fd1fd17a9a5 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:280:32
    #6 0x7fd1fd17a9a5 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:272:12
    #7 0x7fd1fd17a9a5 in operator new /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:440:1
    #8 0x7fd1fd17a9a5 in NS_NewBlockFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:430:10
    #9 0x7fd1fd065b7d in nsCSSFrameConstructor::CreateContinuingFrame(nsIFrame*, nsContainerFrame*, bool) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8007:16
    ...
    #33 0x7fd1fd181c39 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1394:3
    #34 0x7fd1fd19c132 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
Shadow bytes around the buggy address:
....
==32554==ABORTING

Group: firefox-core-security → layout-core-security
Component: General → Layout
Product: Firefox → Core
Component: Layout → Layout: Columns

The severity field is not set for this bug.
:jfkthame, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jfkthame)

Yeah, looks like we're dereferencing a frame that has been destroyed (and filled with poison values), the this pointer in the nsIFrame::StyleDisplay call.

Frame-poisoning means this is likely not-exploitable; hence, calling this S3, and I think we can remove the security-sensitive flag to open this up.

Group: layout-core-security
Severity: -- → S3
Flags: needinfo?(jfkthame)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: