Crash [@ nsCachedStyleData::GetStyleData] from [@ nsQuoteNode::Text]

VERIFIED FIXED

Status

()

Core
General
--
critical
VERIFIED FIXED
10 years ago
6 years ago

People

(Reporter: Paul Nickerson, Assigned: mats)

Tracking

({crash, verified1.8.0.14, verified1.8.1.8})

1.8 Branch
crash, verified1.8.0.14, verified1.8.1.8
Points:
---
Bug Flags:
blocking1.8.1.8 +
wanted1.8.1.x +
wanted1.8.0.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] wfm trunk. using freed frame, crash signature)

Attachments

(7 attachments, 1 obsolete attachment)

(Reporter)

Description

10 years ago
Created attachment 278310 [details]
testcase

Firefox version:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070812 BonEcho/2.0.0.6

Details:
eax=02717b70 ebx=023ac510 ecx=0271c260 edx=0270ba54 esi=0012fb70 edi=02717b28
eip=02717a75 esp=0012fb3c ebp=0012fb5c iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000203
02717a75 224402a8        and     al,byte ptr [edx+eax-58h]  ds:0023:04e2356c=??


Disassembly:
gklayout!nsIFrame::GetStateBits+0xa:
0197f53a 8b4024          mov     eax,dword ptr [eax+24h]
0197f53d 8be5            mov     esp,ebp
0197f53f 5d              pop     ebp
0197f540 c3              ret
0197f541 cc              int     3
0197f542 cc              int     3
0197f543 cc              int     3
0197f544 cc              int     3

Stack trace (using release build - debug build didnt crash):
0x2717a75
xpcom_core!nsQueryInterface::operator()
firefox!Java_netscape_javascript_JSObject_initClass
firefox!nsFontList::Release
firefox!jpeg_mem_init
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
xpcom_core!PL_HandleEvent
xpcom_core!PL_ProcessPendingEvents
xpcom_core!PL_IsQueueNative

This crashes all over the place, and definitely looks exploitable, IMO. Also, I wasn't able to reduce the testcase any further - maybe someone else will have more luck.
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.13?
(Reporter)

Comment 1

10 years ago
[STACKHASH:AD5295AC3574BB6B0A3CB7DBA1455E8]
Paul, could you create a testcase that crashes online, directly?
You have external references to localhost in your source.
(Reporter)

Comment 3

10 years ago
Created attachment 278312 [details]
fixed testcase

This should work. If anyone can further reduce this testcase, they should do so since it exposes the existence and partial workings of the fuzzer scripts.
Thanks.
This somehow was fixed on trunk between 2006-05-17 and 2006-05-17:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-05-17+07&maxdate=2006-05-18+09&cvsroot=%2Fcvsroot
The only bug I see in that range that might somehow be involved is bug 329122.
(Assignee)

Updated

10 years ago
Assignee: nobody → mats.palmgren
Keywords: crash
OS: Windows XP → All
Hardware: PC → All
Summary: Crash [@xpcom_core!nsQueryInterface::operator] → Crash [@ nsCachedStyleData::GetStyleData] from [@ nsQuoteNode::Text]
Whiteboard: [sg:critical?] using freed frame
(Assignee)

Comment 5

10 years ago
Created attachment 278327 [details]
stack for the crash
(Assignee)

Comment 6

10 years ago
Created attachment 278328 [details]
Tracing the quotes list

Frames can be destroyed while nsQuoteList::RecalcAll is iterating the list.
nsCSSFrameConstructor::NotifyDestroyingFrame removes the corresponding
quote list node for the destroyed frame...
(Assignee)

Comment 7

10 years ago
Created attachment 278329 [details]
Here's the stack when that frame destroy occurs
(Assignee)

Comment 8

10 years ago
Created attachment 278330 [details] [diff] [review]
wip (branch 1.8)

This avoids the crash.  Looking at nsCounterList::RecalcAll(), I think the
same thing could happen there also:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsCounterManager.cpp&rev=3.1.12.1&root=/cvsroot&mark=184#163
So on trunk this is OK because no one sees these events, right?  Can we make that change on branch too?  Just not propagate mutation events out of anonymous content?

Comment 10

10 years ago
Mutation events shouldn't propagate from native anonymous content on branch 
either, hmm, unless the nsIContent is a nsGenericDOMDataNode. Is that the case here? Should the same thing be done for nsGenericDOMDataNode as what was done
for nsGenericElement in Bug 382681.
Problem is that on branch nsGenericDOMDataNode doesn't implement
SetNativeAnonymous()
http://lxr.mozilla.org/mozilla1.8/source/content/base/src/nsGenericDOMDataNode.cpp#742
Yes, the anon content is a nsTextNode here.

Can we use GetBindingParent() == this as the native anonymous test on branch?

Comment 12

10 years ago
Unfortunately no, because bug 329122 is trunk only :(
Ah, right.  :(
(Assignee)

Comment 14

10 years ago
Created attachment 278444 [details] [diff] [review]
wip2 (branch 1.8)
(Assignee)

Comment 15

10 years ago
(In reply to comment #9)
> So on trunk this is OK because no one sees these events, right?

Yes, I disabled the code that prevents these events on trunk and got
the exact same crash on trunk.

> Can we make that change on branch too?

I (naively) implemented nsGenericDOMDataNode::SetNativeAnonymous()
by setting a flag on nsGenericDOMDataNode and used that to avoid calling
HandleDOMEvent() in nsGenericDOMDataNode::HandleDOMEvent().
This fixes the bug, but we'd need to find a place for the extra bit...
(the two bits we have in mParentPtrBits are already in use AFAICT)
Could we steal a bit from the length in nsTextFragment?
Even better would be to use a bit from mNodeInfoManager
(Assignee)

Comment 18

10 years ago
Created attachment 278694 [details] [diff] [review]
wip3 (branch 1.8)

Like this?
Attachment #278694 - Flags: review?(jonas)
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.7?
Flags: blocking1.8.1.7+
Flags: blocking1.8.0.14?
Flags: blocking1.8.0.13?
(Assignee)

Comment 19

10 years ago
Created attachment 278813 [details] [diff] [review]
wip4 (branch 1.8)

Correction for SetNativeAnonymous().
Attachment #278694 - Attachment is obsolete: true
Attachment #278813 - Flags: review?(jonas)
Attachment #278694 - Flags: review?(jonas)
Yes, though I would rename mNodeInfoManager to mNodeInfoManagerPtrBits to avoid someone using it wrongly accidentally.
Comment on attachment 278813 [details] [diff] [review]
wip4 (branch 1.8)

r=me if you rename mNodeInfoManager to mNodeInfoManagerPtrBits and add a define for the 0x1 flag used both in Get/SetNativeAnonymous and in GetNodeInfoManager
Attachment #278813 - Flags: review?(jonas) → review+
since vendors sometimes backport the patches in the bugs rather than the actual checkins (which is very naughty of them), please request branch approval on a patch that incorporates Jonas's comment 21
Whiteboard: [sg:critical?] using freed frame → [sg:critical?] wfm trunk, need 1.8 approval request. using freed frame
Mats: is this going to make the 1.8.1.8 code freeze (Oct 3)?
(Assignee)

Comment 24

10 years ago
Created attachment 283290 [details] [diff] [review]
wip5 (branch 1.8)

Addressing Jonas' review comment.
Attachment #283290 - Flags: approval1.8.1.8?
Attachment #283290 - Flags: approval1.8.0.14?
(Assignee)

Updated

10 years ago
Whiteboard: [sg:critical?] wfm trunk, need 1.8 approval request. using freed frame → [sg:critical?] wfm trunk. using freed frame
Comment on attachment 283290 [details] [diff] [review]
wip5 (branch 1.8)

approved for 1.8.1.8 and 1.8.0.14, a=dveditz
Attachment #283290 - Flags: approval1.8.1.8?
Attachment #283290 - Flags: approval1.8.1.8+
Attachment #283290 - Flags: approval1.8.0.14?
Attachment #283290 - Flags: approval1.8.0.14+
(Assignee)

Comment 26

10 years ago
Comment on attachment 283290 [details] [diff] [review]
wip5 (branch 1.8)

guess I need an sr here before checkin...
Attachment #283290 - Flags: superreview?(bzbarsky)
Comment on attachment 283290 [details] [diff] [review]
wip5 (branch 1.8)

sr=bzbarsky
Attachment #283290 - Flags: superreview?(bzbarsky) → superreview+
(Assignee)

Comment 28

10 years ago
MOZILLA_1_8_BRANCH
mozilla/content/base/src/nsCommentNode.cpp 	3.72.8.4
mozilla/content/base/src/nsDOMDocumentType.cpp 	1.27.20.5
mozilla/content/base/src/nsGenericDOMDataNode.cpp 	3.156.2.9
mozilla/content/base/src/nsGenericDOMDataNode.h 	3.98.8.9
mozilla/content/base/src/nsTextNode.cpp 	3.49.8.4
mozilla/content/xml/content/src/nsXMLCDATASection.cpp 	1.39.4.4
mozilla/content/xml/content/src/nsXMLProcessingInstruction.cpp 	1.60.8.5

MOZILLA_1_8_0_BRANCH
mozilla/content/base/src/nsCommentNode.cpp 	3.72.14.2
mozilla/content/base/src/nsDOMDocumentType.cpp 	1.27.26.2
mozilla/content/base/src/nsGenericDOMDataNode.cpp 	3.156.8.4
mozilla/content/base/src/nsGenericDOMDataNode.h 	3.98.14.3
mozilla/content/base/src/nsTextNode.cpp 	3.49.14.2
mozilla/content/xml/content/src/nsXMLCDATASection.cpp 	1.39.10.2
mozilla/content/xml/content/src/nsXMLProcessingInstruction.cpp 	1.60.14.2
mozilla/content/xml/content/src/nsXMLStylesheetPI.cpp 	1.12.14.2

-> FIXED
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Flags: blocking1.8.0.14? → in-testsuite?
Keywords: fixed1.8.0.14, fixed1.8.1.8
Resolution: --- → FIXED
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8pre) Gecko/20071004 BonEcho/2.0.0.8pre

I can see the crash in Firefox2.0.0.7.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.8 → verified1.8.1.8
Group: security
Depends on: 403090
This broke Find code on branch.  See bug 403090.
Verified in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.14pre) Gecko/20071210 Firefox/1.5.0.13pre. 
Keywords: fixed1.8.0.14 → verified1.8.0.14
Crash Signature: [@ nsCachedStyleData::GetStyleData] [@ nsQuoteNode::Text]
You need to log in before you can comment on or make changes to this bug.