Poison crash in [@ nsCOMPtr<T>::assign_with_AddRef | nsCOMPtr<T>::operator= | mozilla::EventTargetChainItem::LegacyPreActivationBehavior]
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox118 | --- | unaffected |
| firefox119 | + | fixed |
| firefox120 | + | fixed |
People
(Reporter: mccr8, Assigned: edgar)
References
(Regression)
Details
(4 keywords)
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
tjr
:
sec-approval+
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/516ad414-279a-44d3-8ca8-616240231003
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll nsCOMPtr<nsISupports>::assign_with_AddRef xpcom/base/nsCOMPtr.h:807
0 xul.dll nsCOMPtr<nsISupports>::operator= xpcom/base/nsCOMPtr.h:560
0 xul.dll mozilla::EventTargetChainItem::LegacyPreActivationBehavior dom/events/EventDispatcher.cpp:448
0 xul.dll mozilla::EventDispatcher::Dispatch dom/events/EventDispatcher.cpp:1096
1 xul.dll mozilla::PresShell::HandleDOMEventWithTarget layout/base/PresShell.cpp:8811
2 xul.dll mozilla::dom::Element::DispatchEvent dom/base/Element.cpp:2263
3 xul.dll mozilla::dom::Element::DispatchClickEvent dom/base/Element.cpp:2303
4 xul.dll mozilla::dom::HTMLLabelElement::PostHandleEvent dom/html/HTMLLabelElement.cpp:165
5 xul.dll mozilla::EventTargetChainItem::PostHandleEvent dom/events/EventDispatcher.cpp:485
5 xul.dll mozilla::EventTargetChainItem::HandleEventTargetChain dom/events/EventDispatcher.cpp:654
This method was added in bug 1658996, and the crash first showed up in the 20230918094102 Nightly build, but maybe this is just a signature change? I feel like I've seen weird event crashes before, so maybe it isn't actually a regression.
|
Reporter | |
Comment 1•2 years ago
|
||
Vincent, do you think your patch could have caused a regression here? Thanks.
|
|
Reporter | |
Comment 2•2 years ago
|
||
I looked for crashes on poison values with EventStateManager::PostHandleMouseUp in the proto signature over the last 6 months. I found 10 with this signature. I didn't see any other signatures that looked like "generic event handling stuff" which is what I'd expect if this was merely signature change.
Doing the same thing with crashes with HTMLLabelElement::PostHandleEvent in the proto signature over the last 6 months, I found 3 with this signature and no other crashes.
|
|
Reporter | |
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
Set release status flags based on info from the regressing bug 1658996
|
||
Comment 4•2 years ago
|
||
These were my changes to the EventTargetChainItem and mItemData was used in a similar way already in PreHandleEvent and PostHandleEvent. In those two functions, more access violations occurred for mItemData: 11 here and 3 here.
Though given LegacyPreActivationBehavior runs earlier and under other conditions than Pre/PostHandleEvent, it might be that I created a new case where an access violation around mItemData happens. I just noticed these two places should check NS_SUCCEEDED(rv) and my patch didn't account for the case when aTargets in Dispatch is non-null. Still, I don't think there should ever be a case where accessing mItemData is illegal.
I'll add checking rv and handling aTargets to my backlock, but am out of office for the next few weeks.
|
||
Comment 5•2 years ago
|
||
Vincent, thanks for your comment.
Edgar, can you take this bug so hopefully we don't need to wait for a few weeks before making progress?
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 6•2 years ago
|
||
One approach to investigating here would be to look at the locations in the call stack and look for raw pointers that are live across call sites and method calls on object members.
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 7•2 years ago
|
||
My theory is that EventDispatcher uses a raw pointer to cache the activation target which pointers to a element of nsTArray<EventTargetChainItem> chain and initial capacity of chain is 128. In most of case, the number of chain items is fewer than 128, so it works fine. However, if the chain items exceed 128, the nsTArray allocates a new memory region and moves the data there, which causes the raw pointer points to a invalid memory.
|
|
Assignee | |
Comment 8•2 years ago
|
||
|
|
Assignee | |
Comment 9•2 years ago
|
||
Comment on attachment 9357161 [details]
Bug 1856737 - Use index to track activation target item; r?smaug,masayuki
Security Approval Request
- How easily could an exploit be constructed based on the patch?: I think it is not hard as the patch shows the problem is about raw pointer and nsTArray accessing.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: beta
- If not all supported branches, which bug introduced the flaw?: Bug 1658996
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Patch should apply cleanly.
- How likely is this patch to cause regressions; how much testing does it need?: It just use index instead of raw pointer to track event chain item, behavior doesn't change, it should be safe.
- Is Android affected?: Yes
|
||
Comment 10•2 years ago
|
||
Comment on attachment 9357161 [details]
Bug 1856737 - Use index to track activation target item; r?smaug,masayuki
Approved to request uplift and land
|
||
Comment 11•2 years ago
|
||
|
||
Comment 12•2 years ago
|
||
|
|
||
Comment 13•2 years ago
|
||
The patch landed in nightly and beta is affected.
:edgar, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox119towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 14•2 years ago
|
||
Comment on attachment 9357161 [details]
Bug 1856737 - Use index to track activation target item; r?smaug,masayuki
Beta/Release Uplift Approval Request
- User impact if declined: Tab crash when clicking on input radio/checkbox and the event target chain items exceed the default capacity.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce: None
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It just use index instead of raw pointer to track event chain item, behavior doesn't change, it should be safe.
- String changes made/needed: None
- Is Android affected?: Yes
|
||
Updated•2 years ago
|
|
|
||
Comment 15•2 years ago
|
||
Comment on attachment 9357161 [details]
Bug 1856737 - Use index to track activation target item; r?smaug,masayuki
Approved for 119.0b9
|
|
||
Comment 16•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 17•1 year ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Description
•