Closed Bug 1751679 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::EditorDOMPointBase<T>::Offset]

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 97
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
99 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox96 --- unaffected
firefox97 --- wontfix
firefox98 + wontfix
firefox99 + fixed

People

(Reporter: aryx, Assigned: masayuki)

References

(Regression)

Details

(Keywords: crash, regression, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main99+r])

Crash Data

Attachments

(1 file)

Bug 1751679 - Make `WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement` track DOM points while the DOM tree is being changed r=m_kato!
48 bytes, text/x-phabricator-request
Details | Review

19 crashes from 10+ installations, Windows and macOS. Firefox 97+ affected.

Crash report: https://crash-stats.mozilla.org/report/index/009364dd-6a68-4614-8fbd-41efd0220112

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(isSome())

Top 10 frames of crashing thread:

0 xul.dll mozilla::EditorDOMPointBase<nsCOMPtr<nsINode>, nsCOMPtr<nsIContent> >::Offset const editor/libeditor/EditorDOMPoint.h:500
1 xul.dll mozilla::HTMLEditor::MoveOneHardLineContents editor/libeditor/HTMLEditorDeleteHandler.cpp:4714
2 xul.dll static mozilla::WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement editor/libeditor/WSRunObject.cpp:515
3 xul.dll mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::AutoInclusiveAncestorBlockElementsJoiner::Run editor/libeditor/HTMLEditorDeleteHandler.cpp:4581
4 xul.dll mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::HandleDeleteAtCurrentBlockBoundary editor/libeditor/HTMLEditorDeleteHandler.cpp:2848
5 xul.dll mozilla::HTMLEditor::AutoDeleteRangesHandler::AutoBlockElementsJoiner::Run editor/libeditor/HTMLEditorDeleteHandler.cpp:522
6 xul.dll mozilla::HTMLEditor::AutoDeleteRangesHandler::HandleDeleteAroundCollapsedRanges editor/libeditor/HTMLEditorDeleteHandler.cpp:1832
7 xul.dll mozilla::HTMLEditor::AutoDeleteRangesHandler::Run editor/libeditor/HTMLEditorDeleteHandler.cpp:1631
8 xul.dll mozilla::HTMLEditor::HandleDeleteSelection editor/libeditor/HTMLEditorDeleteHandler.cpp:1126
9 xul.dll mozilla::EditorBase::DeleteSelectionAsSubAction editor/libeditor/EditorBase.cpp:4214
Flags: needinfo?(masayuki)
Has Regression Range: --- → yes

Well, it detects a traditional bug.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Flags: needinfo?(masayuki)
Priority: -- → P2
Version: unspecified → Firefox 97

The isSome() diagnostic assert can indicate uninitialized memory. Marking s-s.

Group: core-security
Group: core-security → dom-core-security

The method caches a DOM point, but it is not tracked correctly.

This patch adds some validations into it and one of its callee,
HTMLEditor::MoveOneHardLineContents. Additionally, making
EditorDOMPointBase::Offset avoid accessing Maybe's storage when it's
Nothing in release builds as the last resort.

sec-moderate might be under-selling this depending on what that offset is later used for

Is this a regression? Or are the asserts new?

(In reply to Daniel Veditz [:dveditz] from comment #4)

sec-moderate might be under-selling this depending on what that offset is later used for

Is this a regression? Or are the asserts new?

The assertion is new. The offset value is used to consider where the content nodes in an array will be inserted in a parent node. Therefore, even if the value is wrong, the result is just to get odd DOM tree result of editing (Backspace or Delete from start/end of a nested child block element). So I don't think that this is a security issue.

Comment on attachment 9260792 [details]
Bug 1751679 - Make WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement track DOM points while the DOM tree is being changed r=m_kato!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I don't think that this can attack users except getting odd editing result because if the storage of Maybe<uint32_t> is random value, it just points in the parent left block element where the moving nodes which are placed in the first line of the right block element are inserted.

Anyway, this patch may not unclear what's going on because this does not touch some places around the buggy point.

  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: 97
  • If not all supported branches, which bug introduced the flaw?: Bug 1741148
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Not risky because this makes it and its callers check whether the inserting point becomes invalid or not immediately after modifying the DOM tree and stop handling the edit operation in such case. This patch is cleanly grafted in beta channel.
  • How likely is this patch to cause regressions; how much testing does it need?: I'm not sure how to reproduce this bug. With this patch, it'll start to return 0u as offset when the point is invalid in release builds. I.e., when users meet a bug, the content will be inserted to start of parent block. It's clearly odd behavior so that I'd like users to report the bug as a web-compat issue.
Attachment #9260792 - Flags: sec-approval?

Calling this wontfix for 97 given where we are in the cycle (we're building our final beta tomorrow). Let me know if you feel strongly otherwise and we can reconsider.

status-firefox97: affectedwontfix

Bug 1753342 has a test case.

This is sec-moderate, so it doesn't need sec approval.

Comment on attachment 9260792 [details]
Bug 1751679 - Make WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement track DOM points while the DOM tree is being changed r=m_kato!

Oh, I didn't know that. I'll land it ASAP.

Attachment #9260792 - Flags: sec-approval?

Make WhiteSpaceVisibilityKeeper::MergeFirstLineOfRightBlockElementIntoAncestorLeftBlockElement track DOM points while the DOM tree is being changed r=m_kato
https://hg.mozilla.org/integration/autoland/rev/216db1a8defd33d9efe0623261dcd5f211b90a9b
https://hg.mozilla.org/mozilla-central/rev/216db1a8defd

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox99: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch

The patch landed in nightly and beta is affected.
:masayuki, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(masayuki)

The amount of the crash reports is not so many, and the patch changes some logic. So I think that it should just ride the train (although it's fine to uplift the patch if release managers want this fix).

status-firefox98: affectedwontfix
Flags: needinfo?(masayuki)
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main99+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: