AddressSanitizer: heap-buffer-overflow [@ GetIntegerValue] with READ of size 4
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox-esr115 | --- | unaffected |
firefox114 | --- | unaffected |
firefox115 | --- | unaffected |
firefox116 | + | fixed |
People
(Reporter: jkratzer, Assigned: mccr8)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])
Crash Data
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev 750c24176cc2 (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 750c24176cc2 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
AddressSanitizer: heap-buffer-overflow [@ GetIntegerValue] with READ of size 4
=================================================================
==3815073==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000013430 at pc 0x7f634cce325e bp 0x7fffd699dab0 sp 0x7fffd699daa8
READ of size 4 at 0x603000013430 thread T0 (Isolated Web Co)
#0 0x7f634cce325d in GetIntegerValue /dom/base/nsAttrValueInlines.h:148:68
#1 0x7f634cce325d in mozilla::dom::HTMLTableElement::BuildInheritedAttributes() /dom/html/HTMLTableElement.cpp:943:28
#2 0x7f634cce32da in mozilla::dom::HTMLTableElement::BindToTree(mozilla::dom::BindContext&, nsINode&) /dom/html/HTMLTableElement.cpp:960:3
#3 0x7f634922467d in nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1612:15
#4 0x7f63475dcdfc in AppendChildTo /dom/base/nsINode.h:931:5
#5 0x7f63475dcdfc in nsHtml5TreeOperation::Append(nsIContent*, nsIContent*, nsHtml5DocumentBuilder*) /parser/html/nsHtml5TreeOperation.cpp:253:12
#6 0x7f63475c99a6 in nsHtml5TreeOperation::Append(nsIContent*, nsIContent*, mozilla::dom::FromParser, nsHtml5DocumentBuilder*) /parser/html/nsHtml5TreeOperation.cpp:270:17
#7 0x7f63475d3253 in operator() /parser/html/nsHtml5TreeOperation.cpp:798:14
#8 0x7f63475d3253 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineAndColumnNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:266:16
#9 0x7f63475d3253 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineAndColumnNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
#10 0x7f63475d3253 in match<TreeOperationMatcher> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:852:12
#11 0x7f63475d3253 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /parser/html/nsHtml5TreeOperation.cpp:1206:21
#12 0x7f63475d1ed2 in nsHtml5TreeOpExecutor::RunFlushLoop() /parser/html/nsHtml5TreeOpExecutor.cpp:694:19
#13 0x7f63475df722 in nsHtml5ExecutorFlusher::Run() /parser/html/nsHtml5StreamParser.cpp:174:18
#14 0x7f6344fa753a in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:555:16
#15 0x7f6344f924ce in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:880:26
#16 0x7f6344f8f417 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:704:15
#17 0x7f6344f8fcff in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:491:36
#18 0x7f6344faf171 in operator() /xpcom/threads/TaskController.cpp:218:37
#19 0x7f6344faf171 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
#20 0x7f6344fd9283 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1199:16
#21 0x7f6344fe6cb4 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#22 0x7f6346bfcdee in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#23 0x7f6346a24e9a in RunInternal /ipc/chromium/src/base/message_loop.cc:370:10
#24 0x7f6346a24e9a in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#25 0x7f6346a24e9a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#26 0x7f6350196839 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#27 0x7f635602179e in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:717:20
#28 0x7f6346a24e9a in RunInternal /ipc/chromium/src/base/message_loop.cc:370:10
#29 0x7f6346a24e9a in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#30 0x7f6346a24e9a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#31 0x7f6356020e58 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:652:34
#32 0x55f51d4fb6de in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#33 0x55f51d4fb6de in main /browser/app/nsBrowserApp.cpp:375:18
#34 0x7f636bacdd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#35 0x7f636bacde3f in __libc_start_main csu/../csu/libc-start.c:392:3
#36 0x55f51d424d18 in _start (/home/jkratzer/builds/m-c-20230623092529-fuzzing-asan-opt/firefox+0x107d18) (BuildId: 634671658158d494eb6237b942b82ef19c5d8ff5)
0x603000013432 is located 0 bytes after 18-byte region [0x603000013420,0x603000013432)
allocated by thread T4 here:
#0 0x55f51d4bd64e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x7f6344cc6ced in nsStringBuffer::Alloc(unsigned long) /xpcom/string/nsStringBuffer.cpp:68:42
#2 0x7f6347549382 in nsHtml5String::FromBuffer(char16_t*, int, nsHtml5TreeBuilder*) /parser/html/nsHtml5String.cpp:113:7
#3 0x7f6347514699 in nsHtml5Portability::newStringFromBuffer(char16_t*, int, int, nsHtml5TreeBuilder*, bool) /parser/html/nsHtml5Portability.cpp:47:10
#4 0x7f6347562533 in strBufToString /parser/html/nsHtml5Tokenizer.cpp:246:23
#5 0x7f6347562533 in nsHtml5Tokenizer::addAttributeWithValue() /parser/html/nsHtml5Tokenizer.cpp:389:25
#6 0x7f634758e1a4 in int nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>(int, char16_t, int, char16_t*, bool, int, int) /parser/html/nsHtml5Tokenizer.cpp:908:15
#7 0x7f634754352d in nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) /parser/html/nsHtml5Tokenizer.cpp:450:11
#8 0x7f63475332c7 in nsHtml5StreamParser::ParseAvailableData() /parser/html/nsHtml5StreamParser.cpp:2476:32
#9 0x7f63475304c8 in nsHtml5StreamParser::DoDataAvailable(mozilla::Span<unsigned char const, 18446744073709551615ul>) /parser/html/nsHtml5StreamParser.cpp:1564:3
#10 0x7f63475355b1 in nsHtml5StreamParser::DoDataAvailableBuffer(mozilla::Buffer<unsigned char>&&) /parser/html/nsHtml5StreamParser.cpp:1482:5
#11 0x7f63475226ad in nsHtml5StreamParser::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long, unsigned int) /parser/html/nsHtml5StreamParser.cpp:1658:7
#12 0x7f634752240a in nsHtml5StreamListener::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long, unsigned int) /parser/html/nsHtml5StreamListener.cpp:91:9
#13 0x7f6346134f8c in mozilla::net::HttpChannelChild::DoOnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long, unsigned int) /netwerk/protocol/http/HttpChannelChild.cpp:793:29
#14 0x7f6346132a1d in mozilla::net::HttpChannelChild::OnTransportAndData(nsresult const&, nsresult const&, unsigned long const&, unsigned int const&, nsTSubstring<char> const&) /netwerk/protocol/http/HttpChannelChild.cpp:695:3
#15 0x7f63465e98b2 in mozilla::net::ChannelEventQueue::FlushQueue() /netwerk/ipc/ChannelEventQueue.cpp:94:12
#16 0x7f634664450f in CompleteResume /netwerk/ipc/ChannelEventQueue.h:316:5
#17 0x7f634664450f in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /netwerk/ipc/ChannelEventQueue.cpp:152:17
#18 0x7f6344fd9689 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1193:16
#19 0x7f6344fe6cb4 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#20 0x7f6346bfe7f9 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
#21 0x7f6346a24e9a in RunInternal /ipc/chromium/src/base/message_loop.cc:370:10
#22 0x7f6346a24e9a in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#23 0x7f6346a24e9a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#24 0x7f6344fd067a in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
#25 0x7f636b5d3b3f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#26 0x7f636bb38b42 in start_thread nptl/pthread_create.c:442:8
Thread T4 created by T0 (Isolated Web Co) here:
#0 0x55f51d4a57ca in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7f636b5c22a4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f636b5afe9e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f6344fd436c in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:634:18
#4 0x7f6344fe455e in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /xpcom/threads/nsThreadManager.cpp:548:12
#5 0x7f6344ff230c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /xpcom/threads/nsThreadUtils.cpp:175:57
#6 0x7f634750bdd4 in NS_NewNamedThread<13UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:87:10
#7 0x7f634750bdd4 in nsHtml5Module::InitializeStatics() /parser/html/nsHtml5Module.cpp:63:3
#8 0x7f6351662bca in nsLayoutStatics::Initialize() /layout/build/nsLayoutStatics.cpp:235:3
#9 0x7f63516628e9 in nsLayoutModuleInitialize() /layout/build/nsLayoutModule.cpp:104:7
#10 0x7f6344f66553 in nsComponentManagerImpl::Init() /xpcom/components/nsComponentManager.cpp:371:5
#11 0x7f6345057a85 in NS_InitXPCOM /xpcom/build/XPCOMInit.cpp:421:51
#12 0x7f634ef97360 in mozilla::dom::ContentProcess::Init(int, char**) /dom/ipc/ContentProcess.cpp:153:8
#13 0x7f6356020e27 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:618:21
#14 0x55f51d4fb6de in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#15 0x55f51d4fb6de in main /browser/app/nsBrowserApp.cpp:375:18
#16 0x7f636bacdd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /dom/base/nsAttrValueInlines.h:148:68 in GetIntegerValue
Shadow bytes around the buggy address:
0x603000013180: 00 00 04 fa fa fa fd fd fd fa fa fa fd fd fd fd
0x603000013200: fa fa fd fd fd fa fa fa 00 00 06 fa fa fa fd fd
0x603000013280: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
0x603000013300: 00 00 04 fa fa fa fd fd fd fa fa fa fd fd fd fd
0x603000013380: fa fa fd fd fd fd fa fa fd fd fd fa fa fa 00 00
=>0x603000013400: 00 00 fa fa 00 00[02]fa fa fa fa fa fa fa fa fa
0x603000013480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x603000013500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x603000013580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x603000013600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x603000013680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3815073==ABORTING
Reporter | ||
Comment 1•1 year ago
|
||
Reporter | ||
Comment 2•1 year ago
|
||
Reporter | ||
Comment 3•1 year ago
|
||
We've seen a flood of these in the last few hours so I suspect this is a recent regression.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 5•1 year ago
|
||
[Tracking Requested - why for this release]: sec high, probable regression, with a trivial test case
Assignee | ||
Comment 6•1 year ago
|
||
I get this assertion in a debug build, so I think this is more like a type confusion: some kind of variant container is expected to be an int, but it actually has a string (based on the ASan allocation stack).
Assertion failure: Type() == eInteger (wrong type), at /Users/andrewmccreight/mc/dom/base/nsAttrValueInlines.h:146
#01: nsAttrValue::GetIntegerValue() const
#02: mozilla::dom::HTMLTableElement::BuildInheritedAttributes()
#03: mozilla::dom::HTMLTableElement::BindToTree(mozilla::dom::BindContext&, nsINode&)
#04: nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool, mozilla::ErrorResult&)
Assignee | ||
Comment 7•1 year ago
|
||
The prior code, MapInheritedTableAttributesIntoRule, did an explicit check that value->Type() == nsAttrValue::eInteger
is true after getting the value of the cellpadding attribute.
Assignee | ||
Comment 8•1 year ago
|
||
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 9•1 year ago
|
||
This is also showing up in Nightly: bp-47e83a97-2bc2-4957-a165-474630230623
All null crashes for what that is worth.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 10•1 year ago
|
||
Here is the check in the old code.
Comment 11•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230623092529-750c24176cc2.
The bug appears to have been introduced in the following build range:
Start: 19c777f3b143ca86c79eb065fef63b104200fe97 (20230622134915)
End: b9e51e69d0451a93822b61cc15d72666124f02dd (20230622144102)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=19c777f3b143ca86c79eb065fef63b104200fe97&tochange=b9e51e69d0451a93822b61cc15d72666124f02dd
Assignee | ||
Comment 12•1 year ago
|
||
Assignee | ||
Updated•1 year ago
|
![]() |
||
Comment 13•1 year ago
|
||
Add back type check to HTMLTableElement::BuildInheritedAttributes(). r=nika
https://hg.mozilla.org/integration/autoland/rev/897b88c7e2ed402ae0bd51a5e0174c7637699fd7
https://hg.mozilla.org/mozilla-central/rev/897b88c7e2ed
Comment 15•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230625195949-a529a3830f68.
Assignee | ||
Comment 16•1 year ago
|
||
This is more like a type confusion on a union type, so maybe wildptr is better than bounds?
Comment 17•1 year ago
|
||
Comment 18•1 year ago
|
||
Set release status flags based on info from the regressing bug 1839223
Updated•11 months ago
|
Description
•