Closed Bug 1926257 Opened 1 year ago Closed 1 year ago

AddressSanitizer: heap-use-after-free [@ get] from nsIFrame::Style() via TableAwareParentFor with READ of size 8

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1919087
Tracking Flags:
Tracking Status
firefox131 --- wontfix

People

(Reporter: decoder, Unassigned)

Details

(4 keywords)

Attachments

(1 file)

Detailed Crash Information
20.07 KB, text/plain
Details

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 131.0a1-20240901214551-https://hg.mozilla.org/mozilla-central/rev/c2e5212ba8d5ef250196cba1614a97edcbcc0209.

For detailed crash information, see attachment.

I saw a whole bunch of these use-after-free traces triggered over IPC involving shmem in the week of Oct 10. The builds are all Fx 129 - 131, nothing more recent. I'd like to make sure that we fixed a bug in this area?

The use is in style code, so I'm moving this there. The free is in IPC. I'd think that the use stack would be more likely to be correct than the free, but maybe that's not right if there's a bunch of similar looking use stacks?

Group: core-security → layout-core-security
Component: General → CSS Parsing and Computation
Keywords: csectype-uaf, sec-high

The use stack is always the same but I now checked more instances and the free stack is different. Here are some alternatives, maybe one of these is correct:

0x52100099a130 is located 2096 bytes inside of 4096-byte region [0x521000999900,0x52100099a900)
freed by thread T0 (Isolated Web Co) here:
    #0 0x55a299d648b6 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7fcf3827cd50 in Clear /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:90:7
    #2 0x7fcf3827cd50 in FreeFCItem layout/base/nsCSSFrameConstructor.cpp:11944:17
    #3 0x7fcf3827cd50 in nsCSSFrameConstructor::FrameConstructionItem::Delete(nsCSSFrameConstructor*) layout/base/nsCSSFrameConstructor.h:1158:15
    #4 0x7fcf38242178 in Destroy layout/base/nsCSSFrameConstructor.h:1053:15
    #5 0x7fcf38242178 in ~AutoFrameConstructionItemList layout/base/nsCSSFrameConstructor.h:1114:40
    #6 0x7fcf38242178 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) layout/base/nsCSSFrameConstructor.cpp:9760:1
    #7 0x7fcf3824b66b in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) layout/base/nsCSSFrameConstructor.cpp:10579:3
    #8 0x7fcf382470a3 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*) layout/base/nsCSSFrameConstructor.cpp:2566:5
    #9 0x7fcf38261ef7 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) layout/base/nsCSSFrameConstructor.cpp:6739:9
    #10 0x7fcf381f0731 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) layout/base/RestyleManager.cpp:1680:25
    #11 0x7fcf381f9ea6 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) layout/base/RestyleManager.cpp:3284:7
    #12 0x7fcf381b5ea1 in ProcessPendingRestyles layout/base/RestyleManager.cpp:3370:3
    #13 0x7fcf381b5ea1 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) layout/base/PresShell.cpp:4373:37
    #14 0x7fcf32067827 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1455:5
    #15 0x7fcf32067827 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) dom/base/Document.cpp:11080:16
    #16 0x7fcf301ef642 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) uriloader/base/nsDocLoader.cpp:729:14
    #17 0x7fcf301f21b4 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) uriloader/base/nsDocLoader.cpp:667:5
    #18 0x7fcf38b51029 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) docshell/base/nsDocShell.cpp:13787:23
    #19 0x7fcf2edbb272 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) netwerk/base/nsLoadGroup.cpp:632:22
    #20 0x7fcf2edbd6d3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) netwerk/base/nsLoadGroup.cpp:536:10
    #21 0x7fcf3202992d in DoUnblockOnload dom/base/Document.cpp:11870:18
    #22 0x7fcf3202992d in mozilla::dom::Document::UnblockOnload(bool) dom/base/Document.cpp:11808:9
    #23 0x7fcf3204e0b8 in mozilla::dom::Document::DispatchContentLoadedEvents() dom/base/Document.cpp:8288:3

another one:

freed by thread T0 (Isolated Web Co) here:
    #0 0x55dd490b8ddc in realloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:82:3
    #1 0x7f47fd6b38fa in _$LT$mozglue_static..GeckoAlloc$u20$as$u20$core..alloc..global..GlobalAlloc$GT$::realloc::hf4ca257c240ca3ae mozglue/static/rust/lib.rs:230:13
    #2 0x7f47fd6b38fa in __rust_realloc mozglue/static/rust/lib.rs:236:11
    #3 0x7f47fd6b38fa in alloc::alloc::realloc::h2ab8acf02be4c628 /rustc/129f3b9964af4d4a709d1383930ade12dfe7c081/library/alloc/src/alloc.rs:138:14
    #4 0x7f47fd6b38fa in smallvec::SmallVec$LT$A$GT$::try_grow::hac633ebcee05433c third_party/rust/smallvec/src/lib.rs:1201:25
    #5 0x7f47fd6b38fa in smallvec::SmallVec$LT$A$GT$::reserve_one_unchecked::h5da1048e9b72bd5f third_party/rust/smallvec/src/lib.rs:1231:20
    #6 0x7f47fd6b37aa in smallvec::SmallVec$LT$A$GT$::push::h4ba1d1f86ab52063 third_party/rust/smallvec/src/lib.rs:1118:17
    #7 0x7f47fd6b37aa in style::properties::cascade::Declarations::note_declaration::hdc20ff8f854a6661 servo/components/style/properties/cascade.rs:614:9
    #8 0x7f47fce8e126 in style::properties::cascade::iter_declarations::hee4c93c5bd7ba146 servo/components/style/properties/cascade.rs:241:13
    #9 0x7f47fce8d970 in style::properties::cascade::apply_declarations::h9499171dda9d8fba servo/components/style/properties/cascade.rs:322:17
    #10 0x7f47fce8d17d in style::properties::cascade::cascade_rules::hb5999f0829aebc0b servo/components/style/properties/cascade.rs:197:5
    #11 0x7f47fce8d17d in style::properties::cascade::cascade::h41ac014137961647 servo/components/style/properties/cascade.rs:81:5
    #12 0x7f47fce8d17d in style::stylist::Stylist::cascade_style_and_visited::h28b00c351677ac28 servo/components/style/stylist.rs:1253:9
    #13 0x7f47fce8ccf8 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_style_and_visited::h3593f256ccf43615 servo/components/style/style_resolver.rs:382:22
    #14 0x7f47fce90267 in style::style_resolver::StyleResolverForElement$LT$E$GT$::cascade_primary_style::h477bece9bec7696c servo/components/style/style_resolver.rs:277:20
    #15 0x7f47fce8fb6f in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_primary_style::hcf0135a965831fc2 servo/components/style/style_resolver.rs:231:9
    #16 0x7f47fce8aea5 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style::h0559a1310a3cdc41 servo/components/style/style_resolver.rs:295:13
    #17 0x7f47fce85e80 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::_$u7b$$u7b$closure$u7d$$u7d$::h808aa160021fb96b servo/components/style/style_resolver.rs:330:13
    #18 0x7f47fce85e80 in style::style_resolver::with_default_parent_styles::h5fdd1bd9f701aba7 servo/components/style/style_resolver.rs:139:5
    #19 0x7f47fce85e80 in style::style_resolver::StyleResolverForElement$LT$E$GT$::resolve_style_with_default_parents::h7462c5dde00b6a26 servo/components/style/style_resolver.rs:329:9
    #20 0x7f47fce85e80 in style::traversal::compute_style::hbec5c62cfef2164e servo/components/style/traversal.rs:619:34
    #21 0x7f47fce85e80 in style::traversal::recalc_style_at::hbe9feceba729c70c servo/components/style/traversal.rs:432:13
    #22 0x7f47fce85e80 in _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::hb1c45367a7cb9b85 servo/components/style/gecko/traversal.rs:37:13
    #23 0x7f47fce85e80 in style::parallel::style_trees::h99936a2731a51a90 servo/components/style/parallel.rs:151:9
    #24 0x7f47fce7f113 in style::driver::traverse_dom::_$u7b$$u7b$closure$u7d$$u7d$::h3a7753f55c8efe7f servo/components/style/driver.rs:137:9
    #25 0x7f47fce7e6cf in style::driver::with_pool_in_place_scope::_$u7b$$u7b$closure$u7d$$u7d$::h4401a7b010ea19ac servo/components/style/driver.rs:67:17
    #26 0x7f47fce7e6cf in rayon_core::scope::do_in_place_scope_fifo::_$u7b$$u7b$closure$u7d$$u7d$::h2cd2f65d2722208f third_party/rust/rayon-core/src/scope/mod.rs:457:36
    #27 0x7f47fce7e6cf in _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hefeadfdfa33b36a8 /rustc/129f3b9964af4d4a709d1383930ade12dfe7c081/library/core/src/panic/unwind_safe.rs:272:9
    #28 0x7f47fce7e6cf in std::panicking::try::do_call::h4184a2f2dbf84692 /rustc/129f3b9964af4d4a709d1383930ade12dfe7c081/library/std/src/panicking.rs:559:40
    #29 0x7f47fce7e6cf in std::panicking::try::h34e1526fd30bf228 /rustc/129f3b9964af4d4a709d1383930ade12dfe7c081/library/std/src/panicking.rs:523:19
    #30 0x7f47fce7e6cf in std::panic::catch_unwind::h1024c8c34a36e685 /rustc/129f3b9964af4d4a709d1383930ade12dfe7c081/library/std/src/panic.rs:149:14
    #31 0x7f47fce7e6cf in rayon_core::unwind::halt_unwinding::h5685516ae7328ad5 third_party/rust/rayon-core/src/unwind.rs:17:5
    #32 0x7f47fce7e6cf in rayon_core::scope::ScopeBase::execute_job_closure::h9eab77e594202e8a third_party/rust/rayon-core/src/scope/mod.rs:689:28
    #33 0x7f47fce7e6cf in rayon_core::scope::ScopeBase::complete::hea5a6522f45cbcb6 third_party/rust/rayon-core/src/scope/mod.rs:667:31
    #34 0x7f47fce7e6cf in rayon_core::scope::do_in_place_scope_fifo::h0b87edeedbe53e72 third_party/rust/rayon-core/src/scope/mod.rs:457:5
    #35 0x7f47fce7e6cf in rayon_core::thread_pool::ThreadPool::in_place_scope_fifo::hd21ec9f5717f3a9c third_party/rust/rayon-core/src/thread_pool/mod.rs:296:9
    #36 0x7f47fce7e6cf in style::driver::with_pool_in_place_scope::hcf889c174bbfb069 servo/components/style/driver.rs:59:14
    #37 0x7f47fce7e6cf in style::driver::traverse_dom::he6d072f8a2b0f713 servo/components/style/driver.rs:126:5
    #38 0x7f47fce7c9dc in geckoservo::glue::traverse_subtree::h2fd8c4bb2d762f8e servo/ports/geckolib/glue.rs:307:5
    #39 0x7f47fce7c566 in Servo_TraverseSubtree servo/ports/geckolib/glue.rs:367:5
    #40 0x7f47f95e28c3 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) layout/style/ServoStyleSet.cpp:828:9
    #41 0x7f47f974a5e3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) layout/base/RestyleManager.cpp:3237:20
    #42 0x7f47f9706ea1 in ProcessPendingRestyles layout/base/RestyleManager.cpp:3370:3
    #43 0x7f47f9706ea1 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) layout/base/PresShell.cpp:4373:37
    #44 0x7f47f9695317 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1455:5
    #45 0x7f47f9695317 in nsRefreshDriver::FlushLayoutOnPendingDocsAndFixUpFocus() layout/base/nsRefreshDriver.cpp:2211:31

and finally:

freed by thread T0 (Isolated Web Co) here:
    #0 0x55882bc9faf6 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7ff04347fad2 in js_free /builds/worker/workspace/obj-build/dist/include/js/Utility.h:432:3
    #2 0x7ff04347fad2 in free_<char> /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:88:5
    #3 0x7ff04347fad2 in Clear /builds/worker/workspace/obj-build/dist/include/mozilla/BufferList.h:163:15
    #4 0x7ff04347fad2 in ~BufferList /builds/worker/workspace/obj-build/dist/include/mozilla/BufferList.h:115:19
    #5 0x7ff04347fad2 in JSStructuredCloneData::~JSStructuredCloneData() /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:1030:75
    #6 0x7ff040568c65 in ~ReadResult /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:254:7
    #7 0x7ff040568c65 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:15272:9
    #8 0x7ff03937b7d0 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1820:25

My guess is we're dealing with a long period between free and use. Do any of the stacks make sense? (fwiw, the original IPC one appeared at least twice).

Summary: AddressSanitizer: heap-use-after-free [@ get] with READ of size 8 → AddressSanitizer: heap-use-after-free [@ get] from nsIFrame::Style() via TableAwareParentFor with READ of size 8

(In reply to Christian Holler (:decoder) from comment #0)

I saw a whole bunch of these use-after-free traces triggered over IPC involving shmem in the week of Oct 10. The builds are all Fx 129 - 131, nothing more recent. I'd like to make sure that we fixed a bug in this area?

This almost certainly would've been bug 1919087, which we fixed in Nightly 133 on 10/17 and uplifted to the 132 beta repo on 10/20. The backtrace in the log from comment 0 is almost identical to the backtrace in bug 1919087.

--> Duping.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: CVE-2024-10459
Resolution: --- → DUPLICATE
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: