Closed Bug 1763006 Opened 2 years ago Closed 2 years ago

Assertion failure: mFrame (Trying to use display item after deletion!), at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2126

Categories

(Core :: Web Painting, defect, P3)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox99 --- wontfix
firefox100 --- wontfix
firefox101 --- verified

People

(Reporter: tsmith, Assigned: mikokm)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(3 files)

testcase.html
454 bytes, text/html
Details
Bug 1763006 - Part 1: Ignore display items belonging to deleted or other frames, when retrieving a previous stacking context display item for building rect r=mstange
48 bytes, text/x-phabricator-request
Details | Review
Bug 1763006 - Part 2: Clarify deleted frame assertion message r=mstange
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20220324-607fa621b6f2 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mFrame (Trying to use display item after deletion!), at /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2126

#0 0x7f1e23ca3c72 in Frame src/layout/painting/nsDisplayList.h:2126:5
#1 0x7f1e23ca3c72 in mozilla::ProcessFrameInternal(nsIFrame*, mozilla::nsDisplayListBuilder*, nsIFrame**, nsRect&, nsIFrame const*, nsTArray<nsIFrame*>&, bool) src/layout/painting/RetainedDisplayListBuilder.cpp:1140:68
#2 0x7f1e23ca2f0a in mozilla::RetainedDisplayListBuilder::ProcessFrame(nsIFrame*, mozilla::nsDisplayListBuilder*, nsIFrame*, nsTArray<nsIFrame*>&, bool, nsRect*, nsIFrame**) src/layout/painting/RetainedDisplayListBuilder.cpp:1207:8
#3 0x7f1e23ca3d0e in mozilla::RetainedDisplayListBuilder::ComputeRebuildRegion(nsTArray<nsIFrame*>&, nsRect*, nsIFrame**, nsTArray<nsIFrame*>&) src/layout/painting/RetainedDisplayListBuilder.cpp:1307:10
#4 0x7f1e23ca5504 in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) src/layout/painting/RetainedDisplayListBuilder.cpp:1672:10
#5 0x7f1e2392f331 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3337:40
#6 0x7f1e238a1ef7 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) src/layout/base/PresShell.cpp:6367:5
#7 0x7f1e234f78fb in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:440:18
#8 0x7f1e234f741b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:375:22
#9 0x7f1e234f89ac in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:948:5
#10 0x7f1e2385e39e in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2680:11
#11 0x7f1e23866050 in TickDriver src/layout/base/nsRefreshDriver.cpp:367:13
#12 0x7f1e23866050 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:345:7
#13 0x7f1e23865f53 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:361:5
#14 0x7f1e23865e20 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:882:5
#15 0x7f1e238654d3 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:762:16
#16 0x7f1e23864b53 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncOnMainThread() src/layout/base/nsRefreshDriver.cpp:642:7
#17 0x7f1e238646bc in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:534:9
#18 0x7f1e22db766a in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncMainChild.cpp:68:15
#19 0x7f1e23016136 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:54
#20 0x7f1e1f4fa39c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6479:32
#21 0x7f1e1f48fdc1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:1707:25
#22 0x7f1e1f48cff7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) src/ipc/glue/MessageChannel.cpp:1632:9
#23 0x7f1e1f48daed in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1493:3
#24 0x7f1e1f48e67e in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1528:14
#25 0x7f1e1e8fd4ce in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:467:16
#26 0x7f1e1e8d7a26 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:778:26
#27 0x7f1e1e8d66c3 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:612:15
#28 0x7f1e1e8d6933 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:390:36
#29 0x7f1e1e9024f6 in operator() src/xpcom/threads/TaskController.cpp:124:37
#30 0x7f1e1e9024f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#31 0x7f1e1e8ec1d3 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1187:16
#32 0x7f1e1e8f2bed in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
#33 0x7f1e1f495776 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
#34 0x7f1e1f3b33a7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#35 0x7f1e1f3b32b2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#36 0x7f1e1f3b32b2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#37 0x7f1e2355cfd8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#38 0x7f1e25664f63 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:870:20
#39 0x7f1e1f49666a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
#40 0x7f1e1f3b33a7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
#41 0x7f1e1f3b32b2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:373:3
#42 0x7f1e1f3b32b2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
#43 0x7f1e25664599 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:729:34
#44 0x5631ea9ac2f7 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#45 0x5631ea9ac2f7 in main src/browser/app/nsBrowserApp.cpp:327:18
#46 0x7f1e3bb05c86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
#47 0x5631ea987a7c in _start (/home/twsmith/workspace/browsers/m-c-20220324093615-fuzzing-debug/firefox-bin+0x15a7c)
Flags: in-testsuite?
Group: layout-core-security → gfx-core-security

A Pernosco session is available here: https://pernos.co/debug/lNzIf_Ooyov3_Y25IRKxPg/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220404231805-605d0f0c41e6.
The bug appears to have been introduced in the following build range:

Start: 36e92b5f64f62d6e4a1d8086de53f34223f472c1 (20210910033856)
End: c5b71e6ce0e5a9711f5cb682022e6d549a063257 (20210910034715)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=36e92b5f64f62d6e4a1d8086de53f34223f472c1&tochange=c5b71e6ce0e5a9711f5cb682022e6d549a063257

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

That assertion sounds like a clear UAF unless there's some mitigating check later that will save us.

Keywords: csectype-uaf, sec-high

The severity field is not set for this bug.
:miko, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mikokm)

sec related, adding an owner.

Assignee: nobody → mikokm

:miko, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(mikokm)

(In reply to Daniel Veditz [:dveditz] from comment #3)

That assertion sounds like a clear UAF unless there's some mitigating check later that will save us.

I do not believe that the actual display item here has been deleted. This assertion is triggered when accessing display item frame field after the frame has been deleted (which sets nsDisplayItem::mFrame to nullptr, hence the assert). We only compare this pointer, so this does not even look like a null deref.

I think the fix here is to make GetFirstDisplayItemWithChildren() exclude items with deleted frames.

Severity: -- → S3
Flags: needinfo?(mikokm)
Priority: -- → P3

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:miko, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mikokm)
Flags: needinfo?(mikokm)

Per discussion with Miko, this isn't a sec issue.

Group: gfx-core-security
status-firefox100: affectedwontfix
status-firefox99: --- → wontfix
status-firefox-esr91: --- → wontfix
Keywords: csectype-uaf, sec-high
Attachment #9274271 - Attachment description: Bug 1763006 - Ignore display items belonging to deleted or other frames, when retrieving a previous stacking context display item for building rect r=mstange → Bug 1763006 - Part 1: Ignore display items belonging to deleted or other frames, when retrieving a previous stacking context display item for building rect r=mstange
Pushed by mikokm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/b833fb2082e9
Part 1: Ignore display items belonging to deleted or other frames, when retrieving a previous stacking context display item for building rect r=mstange
https://hg.mozilla.org/integration/autoland/rev/6bedf2329fe1
Part 2: Clarify deleted frame assertion message r=mstange

https://hg.mozilla.org/mozilla-central/rev/b833fb2082e9
https://hg.mozilla.org/mozilla-central/rev/6bedf2329fe1

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox101: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220429094842-a3002a9b4204.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox101: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: