Crash [@ nsCachedStyleData::GetStyleData] from [@ nsQuoteNode::Text]

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
12 years ago
8 years ago

People

(Reporter: pvnick, Assigned: mats)

Tracking

({crash, verified1.8.0.14, verified1.8.1.8})

1.8 Branch
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1.8 +
wanted1.8.1.x +
wanted1.8.0.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] wfm trunk. using freed frame, crash signature)

Attachments

(7 attachments, 1 obsolete attachment)

Reporter

Description

12 years ago
Posted file testcase (obsolete) —
Firefox version:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070812 BonEcho/2.0.0.6

Details:
eax=02717b70 ebx=023ac510 ecx=0271c260 edx=0270ba54 esi=0012fb70 edi=02717b28
eip=02717a75 esp=0012fb3c ebp=0012fb5c iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000203
02717a75 224402a8        and     al,byte ptr [edx+eax-58h]  ds:0023:04e2356c=??


Disassembly:
gklayout!nsIFrame::GetStateBits+0xa:
0197f53a 8b4024          mov     eax,dword ptr [eax+24h]
0197f53d 8be5            mov     esp,ebp
0197f53f 5d              pop     ebp
0197f540 c3              ret
0197f541 cc              int     3
0197f542 cc              int     3
0197f543 cc              int     3
0197f544 cc              int     3

Stack trace (using release build - debug build didnt crash):
0x2717a75
xpcom_core!nsQueryInterface::operator()
firefox!Java_netscape_javascript_JSObject_initClass
firefox!nsFontList::Release
firefox!jpeg_mem_init
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
xpcom_core!PL_HandleEvent
xpcom_core!PL_ProcessPendingEvents
xpcom_core!PL_IsQueueNative

This crashes all over the place, and definitely looks exploitable, IMO. Also, I wasn't able to reduce the testcase any further - maybe someone else will have more luck.
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.13?
Reporter

Comment 1

12 years ago
[STACKHASH:AD5295AC3574BB6B0A3CB7DBA1455E8]
Paul, could you create a testcase that crashes online, directly?
You have external references to localhost in your source.
Reporter

Comment 3

12 years ago
Posted file fixed testcase
This should work. If anyone can further reduce this testcase, they should do so since it exposes the existence and partial workings of the fuzzer scripts.
Assignee

Updated

12 years ago
Assignee: nobody → mats.palmgren
Keywords: crash
OS: Windows XP → All
Hardware: PC → All
Summary: Crash [@xpcom_core!nsQueryInterface::operator] → Crash [@ nsCachedStyleData::GetStyleData] from [@ nsQuoteNode::Text]
Whiteboard: [sg:critical?] using freed frame
Assignee

Comment 5

12 years ago
Posted file stack for the crash
Assignee

Comment 6

12 years ago
Frames can be destroyed while nsQuoteList::RecalcAll is iterating the list.
nsCSSFrameConstructor::NotifyDestroyingFrame removes the corresponding
quote list node for the destroyed frame...
Assignee

Comment 8

12 years ago
This avoids the crash.  Looking at nsCounterList::RecalcAll(), I think the
same thing could happen there also:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsCounterManager.cpp&rev=3.1.12.1&root=/cvsroot&mark=184#163
So on trunk this is OK because no one sees these events, right?  Can we make that change on branch too?  Just not propagate mutation events out of anonymous content?
Mutation events shouldn't propagate from native anonymous content on branch 
either, hmm, unless the nsIContent is a nsGenericDOMDataNode. Is that the case here? Should the same thing be done for nsGenericDOMDataNode as what was done
for nsGenericElement in Bug 382681.
Problem is that on branch nsGenericDOMDataNode doesn't implement
SetNativeAnonymous()
http://lxr.mozilla.org/mozilla1.8/source/content/base/src/nsGenericDOMDataNode.cpp#742
Yes, the anon content is a nsTextNode here.

Can we use GetBindingParent() == this as the native anonymous test on branch?
Unfortunately no, because bug 329122 is trunk only :(
Ah, right.  :(
Assignee

Comment 14

12 years ago
Assignee

Comment 15

12 years ago
(In reply to comment #9)
> So on trunk this is OK because no one sees these events, right?

Yes, I disabled the code that prevents these events on trunk and got
the exact same crash on trunk.

> Can we make that change on branch too?

I (naively) implemented nsGenericDOMDataNode::SetNativeAnonymous()
by setting a flag on nsGenericDOMDataNode and used that to avoid calling
HandleDOMEvent() in nsGenericDOMDataNode::HandleDOMEvent().
This fixes the bug, but we'd need to find a place for the extra bit...
(the two bits we have in mParentPtrBits are already in use AFAICT)
Could we steal a bit from the length in nsTextFragment?
Even better would be to use a bit from mNodeInfoManager
Assignee

Comment 18

12 years ago
Posted patch wip3 (branch 1.8) (obsolete) — Splinter Review
Like this?
Attachment #278694 - Flags: review?(jonas)
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.7?
Flags: blocking1.8.1.7+
Flags: blocking1.8.0.14?
Flags: blocking1.8.0.13?
Assignee

Comment 19

12 years ago
Correction for SetNativeAnonymous().
Attachment #278694 - Attachment is obsolete: true
Attachment #278813 - Flags: review?(jonas)
Attachment #278694 - Flags: review?(jonas)
Yes, though I would rename mNodeInfoManager to mNodeInfoManagerPtrBits to avoid someone using it wrongly accidentally.
Comment on attachment 278813 [details] [diff] [review]
wip4 (branch 1.8)

r=me if you rename mNodeInfoManager to mNodeInfoManagerPtrBits and add a define for the 0x1 flag used both in Get/SetNativeAnonymous and in GetNodeInfoManager
Attachment #278813 - Flags: review?(jonas) → review+
since vendors sometimes backport the patches in the bugs rather than the actual checkins (which is very naughty of them), please request branch approval on a patch that incorporates Jonas's comment 21
Whiteboard: [sg:critical?] using freed frame → [sg:critical?] wfm trunk, need 1.8 approval request. using freed frame
Mats: is this going to make the 1.8.1.8 code freeze (Oct 3)?
Assignee

Comment 24

12 years ago
Addressing Jonas' review comment.
Attachment #283290 - Flags: approval1.8.1.8?
Attachment #283290 - Flags: approval1.8.0.14?
Assignee

Updated

12 years ago
Whiteboard: [sg:critical?] wfm trunk, need 1.8 approval request. using freed frame → [sg:critical?] wfm trunk. using freed frame
Comment on attachment 283290 [details] [diff] [review]
wip5 (branch 1.8)

approved for 1.8.1.8 and 1.8.0.14, a=dveditz
Attachment #283290 - Flags: approval1.8.1.8?
Attachment #283290 - Flags: approval1.8.1.8+
Attachment #283290 - Flags: approval1.8.0.14?
Attachment #283290 - Flags: approval1.8.0.14+
Assignee

Comment 26

12 years ago
Comment on attachment 283290 [details] [diff] [review]
wip5 (branch 1.8)

guess I need an sr here before checkin...
Attachment #283290 - Flags: superreview?(bzbarsky)
Comment on attachment 283290 [details] [diff] [review]
wip5 (branch 1.8)

sr=bzbarsky
Attachment #283290 - Flags: superreview?(bzbarsky) → superreview+
Assignee

Comment 28

12 years ago
MOZILLA_1_8_BRANCH
mozilla/content/base/src/nsCommentNode.cpp 	3.72.8.4
mozilla/content/base/src/nsDOMDocumentType.cpp 	1.27.20.5
mozilla/content/base/src/nsGenericDOMDataNode.cpp 	3.156.2.9
mozilla/content/base/src/nsGenericDOMDataNode.h 	3.98.8.9
mozilla/content/base/src/nsTextNode.cpp 	3.49.8.4
mozilla/content/xml/content/src/nsXMLCDATASection.cpp 	1.39.4.4
mozilla/content/xml/content/src/nsXMLProcessingInstruction.cpp 	1.60.8.5

MOZILLA_1_8_0_BRANCH
mozilla/content/base/src/nsCommentNode.cpp 	3.72.14.2
mozilla/content/base/src/nsDOMDocumentType.cpp 	1.27.26.2
mozilla/content/base/src/nsGenericDOMDataNode.cpp 	3.156.8.4
mozilla/content/base/src/nsGenericDOMDataNode.h 	3.98.14.3
mozilla/content/base/src/nsTextNode.cpp 	3.49.14.2
mozilla/content/xml/content/src/nsXMLCDATASection.cpp 	1.39.10.2
mozilla/content/xml/content/src/nsXMLProcessingInstruction.cpp 	1.60.14.2
mozilla/content/xml/content/src/nsXMLStylesheetPI.cpp 	1.12.14.2

-> FIXED
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Flags: blocking1.8.0.14? → in-testsuite?
Resolution: --- → FIXED
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8pre) Gecko/20071004 BonEcho/2.0.0.8pre

I can see the crash in Firefox2.0.0.7.
Status: RESOLVED → VERIFIED
Group: security
This broke Find code on branch.  See bug 403090.
Verified in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.14pre) Gecko/20071210 Firefox/1.5.0.13pre. 
Crash Signature: [@ nsCachedStyleData::GetStyleData] [@ nsQuoteNode::Text]
You need to log in before you can comment on or make changes to this bug.