Crash [@ nsObjectLoadingContent::OnStartRequest] with object, DOMAttrModified and colorpicker

VERIFIED FIXED in mozilla1.9.3a1

Status

()

Core
DOM
--
critical
VERIFIED FIXED
9 years ago
6 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: jst)

Tracking

(5 keywords)

Trunk
mozilla1.9.3a1
crash, testcase, verified1.9.0.16, verified1.9.1, verified1.9.2
Points:
---
Bug Flags:
blocking1.9.2 -
wanted1.9.2 +
blocking1.9.1 -
wanted1.9.1 +
wanted1.9.0.x +
in-testsuite ?

Firefox Tracking Flags

(status1.9.2 beta2-fixed, status1.9.1 .6-fixed)

Details

(Whiteboard: [sg:dos] null deref, crash signature)

Attachments

(3 attachments)

(Reporter)

Description

9 years ago
Created attachment 372606 [details]
testcase

See testcase, which crashes current trunk build and Firefox3.0.7 on load.

http://crash-stats.mozilla.com/report/index/41738fe7-3cb8-4456-8911-5deee2090414?p=1
0  	xul.dll  	nsObjectLoadingContent::OnStartRequest  	 content/base/src/nsObjectLoadingContent.cpp:540
1 	xul.dll 	nsBaseChannel::OnStartRequest 	netwerk/base/src/nsBaseChannel.cpp:665
2 	xul.dll 	nsInputStreamPump::OnStateStart 	netwerk/base/src/nsInputStreamPump.cpp:439
3 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:395
4 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:190
5 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
6 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
7 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:192
8 	nspr4.dll 	PR_GetEnv 	
9 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
10 	firefox.exe 	firefox.exe@0x21a7 	
11 	kernel32.dll 	BaseProcessStart
(Reporter)

Comment 1

9 years ago
The testcase doesn't seem to crash online.
(Reporter)

Updated

8 years ago
Flags: wanted1.9.2?
Flags: wanted1.9.1?
Flags: blocking1.9.2?
Flags: blocking1.9.1?
jst/jonas: can we get a blocking decision here?
Flags: wanted1.9.0.x?

Comment 3

8 years ago
Created attachment 376985 [details] [diff] [review]
shows where the problem is

#7  0x00002aaab0dfa75b in nsObjectLoadingContent::RemovedFromDocument (this=0xf4b920)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:1375
#8  0x00002aaab0e92b74 in nsHTMLObjectElement::UnbindFromTree (this=0xf4b8d0, aDeep=27046, aNullParent=6)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/html/content/src/nsHTMLObjectElement.cpp:239
#9  0x00002aaab0de9ba1 in nsGenericElement::doRemoveChildAt (aIndex=1, aNotify=1, aKid=0xf4b8d0, aParent=0x17d51e0, 
    aDocument=<value optimized out>, aChildArray=@0x17d5218)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:3398
#10 0x00002aaab0de9e58 in nsGenericElement::RemoveChildAt (this=0x17d51e0, aIndex=1, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:3325
#11 0x00002aaab109ab84 in nsXULElement::RemoveChildAt (this=0x17d51e0, aIndex=1, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xul/content/src/nsXULElement.cpp:961
#12 0x00002aaab0de85cf in nsGenericElement::doRemoveChild (aOldChild=0xf4b9c8, aParent=<value optimized out>, 
    aDocument=<value optimized out>, aReturn=0x7fffc508bff0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4002
#13 0x00002aaab06a1ced in nsIDOMNode_RemoveChild (cx=<value optimized out>, argc=1, vp=0x1a9d678) at dom_quickstubs.cpp:2936
#14 0x00002aaaaad760a5 in js_Interpret (cx=0x1bd0a80) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:5118
#15 0x00002aaaaad7f60b in js_Invoke (cx=0x1bd0a80, argc=1, vp=0x1a9d660, flags=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1375
#16 0x00002aaaaad7faa5 in js_InternalInvoke (cx=0x1bd0a80, obj=0x16eb580, fval=15782912, flags=0, argc=1, argv=0x1a9d658, 
    rval=0x7fffc508c5c0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1428
#17 0x00002aaaaad26c54 in JS_CallFunctionValue (cx=0x1bd0a80, obj=0x16eb580, fval=15782912, argc=1, argv=0x1a9d658, 
    rval=0x7fffc508c5c0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5191
#18 0x00002aaab0f7fa57 in nsJSContext::CallEventHandler (this=0x1dc7150, aTarget=<value optimized out>, 
    aScope=<value optimized out>, aHandler=0xf0d400, aargv=0x17aa390, arv=0x7fffc508c7e0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/base/nsJSEnvironment.cpp:2026
#19 0x00002aaab0fc9b2b in nsJSEventListener::HandleEvent (this=0x11b08a0, aEvent=0x1ad2428)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/src/events/nsJSEventListener.cpp:247
#20 0x00002aaab0e3745f in nsEventListenerManager::HandleEventSubType (this=0x1ae4b30, aListenerStruct=0x1ae4b78, 
    aListener=0x11b08a0, aDOMEvent=0x1ad2428, aCurrentTarget=0x17ab800, aPhaseFlags=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventListenerManager.cpp:1090
#21 0x00002aaab0e379e7 in nsEventListenerManager::HandleEvent (this=0x1ae4b30, aPresContext=0x0, aEvent=0x7fffc508ced0, 
    aDOMEvent=0x7fffc508cc00, aCurrentTarget=0x17ab800, aFlags=2, aEventStatus=0x7fffc508cc08)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventListenerManager.cpp:1187
#22 0x00002aaab0e5b85d in nsEventTargetChainItem::HandleEvent (this=0x1acb118, aVisitor=@0x7fffc508cbf0, aFlags=2, 
    aMayHaveNewListenerManagers=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:227
#23 0x00002aaab0e5bacc in nsEventTargetChainItem::HandleEventTargetChain (this=0x1acb428, aVisitor=@0x7fffc508cbf0, 
    aFlags=6, aCallback=0x0, aMayHaveNewListenerManagers=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:315
#24 0x00002aaab0e5bfbe in nsEventDispatcher::Dispatch (aTarget=<value optimized out>, aPresContext=<value optimized out>, 
---Type <return> to continue, or q <return> to quit---
    aEvent=0x7fffc508ced0, aDOMEvent=0x0, aEventStatus=0x0, aCallback=0x0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/events/src/nsEventDispatcher.cpp:508
#25 0x00002aaab0de7b9e in nsGenericElement::SetAttrAndNotify (this=0x205b180, aNamespaceID=0, aName=0xa21b88, 
    aPrefix=<value optimized out>, aOldValue=@0x7fffc508d030, aParsedValue=<value optimized out>, aModification=0, 
    aFireMutation=1, aNotify=1, aValueForAfterSetAttr=0x7fffc508d190)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4406
#26 0x00002aaab0de8045 in nsGenericElement::SetAttr (this=0x205b180, aNamespaceID=0, aName=0xa21b88, aPrefix=0x0, 
    aValue=@0x7fffc508d190, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4300
#27 0x00002aaab0de1ad9 in nsGenericElement::SetAttribute (this=0x205b180, aName=@0x7fffc508d1b0, aValue=@0x7fffc508d190)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.h:386
#28 0x00002aaab06a4cb3 in nsIDOMElement_SetAttribute (cx=0x1bd0a80, argc=2, vp=0x1a9d620) at dom_quickstubs.cpp:2213
#29 0x00002aaaaad760a5 in js_Interpret (cx=0x1bd0a80) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:5118
#30 0x00002aaaaad7f60b in js_Invoke (cx=0x1bd0a80, argc=0, vp=0x1a9d418, flags=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1375
#31 0x00002aaaaad7faa5 in js_InternalInvoke (cx=0x1bd0a80, obj=0x16eb6c0, fval=15783936, flags=0, argc=0, argv=0x0, 
    rval=0x7fffc508d720) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1428
#32 0x00002aaaaad26c54 in JS_CallFunctionValue (cx=0x1bd0a80, obj=0x16eb6c0, fval=15783936, argc=0, argv=0x0, 
    rval=0x7fffc508d720) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5191
#33 0x00002aaab0f3eba9 in nsXBLProtoImplAnonymousMethod::Execute (this=0x14a27d0, aBoundElement=0x177cc40)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp:332
#34 0x00002aaab0f4cb1d in nsBindingManager::ProcessAttachedQueue (this=0x1a97db0, aSkipSize=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsBindingManager.cpp:1015
#35 0x00002aaab0c06d1a in PresShell::FlushPendingNotifications (this=0x2092290, aType=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/base/nsPresShell.cpp:4765
#36 0x00002aaab0dc7a8d in nsDocument::FlushPendingNotifications (this=<value optimized out>, aType=Flush_Style)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsDocument.cpp:6273
#37 0x00002aaab0dfb040 in nsObjectLoadingContent::NotifyStateChanged (this=0xf4b920, 
    aOldType=nsObjectLoadingContent::eType_Loading, aOldState=2097152, aSync=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:1528
#38 0x00002aaab0dfe6a8 in AutoNotifier::Notify (this=0x7fffc508da50)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:235
#39 0x00002aaab0dfc25e in nsObjectLoadingContent::OnStartRequest (this=0xf4b920, aRequest=0x1938df0, aContext=0x0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsObjectLoadingContent.cpp:534
(Assignee)

Comment 4

8 years ago
This is not an exploitable crash, just a simple null dereference crash. Opening bug to the public.
Group: core-security
(Assignee)

Comment 5

8 years ago
I don't think we should block on this, but I'd like to see a patch approved. I think what we want to do here is exactly what smaug's patch does, except w/o warning and throwing a better error. Updated patch coming up.
Flags: wanted1.9.2?
Flags: wanted1.9.2+
Flags: wanted1.9.1?
Flags: wanted1.9.1+
Flags: blocking1.9.2?
Flags: blocking1.9.2-
Flags: blocking1.9.1?
Flags: blocking1.9.1-
(Assignee)

Updated

8 years ago
Assignee: nobody → jst
Status: NEW → ASSIGNED
(Assignee)

Comment 6

8 years ago
Created attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.
Attachment #377088 - Flags: superreview?(bzbarsky)
Attachment #377088 - Flags: review+
(Assignee)

Updated

8 years ago
Attachment #377088 - Attachment is patch: true
Attachment #377088 - Attachment mime type: application/octet-stream → text/plain
Whiteboard: [sg:dos] null deref
Attachment #377088 - Flags: superreview?(bzbarsky) → superreview+
(Reporter)

Comment 7

8 years ago
Is the fix ready to be checked in?
It doesn't block 3.5 and also doesn't have approval1.9.1. So given by the tree rules it cannot be checked in right now.
(Reporter)

Comment 9

8 years ago
Is the fix now ready to be checked in?
(Reporter)

Comment 10

8 years ago
Can the fix be checked in?
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/acfc95cc1e92
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
Verified fixed on trunk with builds on all platforms like Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.3a1pre) Gecko/20091003 Minefield/3.7a1pre ID:20091003031247

I'm not able to crash any build on Windows but any branch on OS X and Linux crashes immediately when loading the testcase. Can we get in the crashtest too?

Johnny, can we request approvals on your patch for the remaining branches?
Status: RESOLVED → VERIFIED
status1.9.1: --- → ?
Flags: in-testsuite?
OS: Windows XP → All
Hardware: x86 → All
(Assignee)

Comment 13

8 years ago
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Sure. This is adding a null pointer check, perfectly safe. We should take this for older releases...
Attachment #377088 - Flags: approval1.9.0.16?
Attachment #377088 - Flags: approval1.9.0.15?
As that in my comment above it still crashes on 1.9.2 and 1.9.1 too. This bug is not marked as blocking so we would also need flags for both branches too.
(Assignee)

Updated

8 years ago
Attachment #377088 - Flags: approval1.9.2+
Attachment #377088 - Flags: approval1.9.1.4?
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Not for 1.9.1.4. Pushing out approval request.
Attachment #377088 - Flags: approval1.9.1.5?
Attachment #377088 - Flags: approval1.9.1.4?
Attachment #377088 - Flags: approval1.9.0.15?
Attachment #377088 - Flags: approval1.9.1.5?
Attachment #377088 - Flags: approval1.9.1.5+
Attachment #377088 - Flags: approval1.9.0.16?
Attachment #377088 - Flags: approval1.9.0.16+
Comment on attachment 377088 [details] [diff] [review]
Smaugs fix, tweaked.

Approved for 1.9.1.5 and 1.9.0.16, a=dveditz for release-drivers
status1.9.1: ? → wanted
Flags: wanted1.9.0.x? → wanted1.9.0.x+

Updated

8 years ago
Keywords: checkin-needed
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/623cf3215288
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/a269181aa86a
status1.9.1: wanted → .6-fixed
status1.9.2: --- → final-fixed
Whiteboard: [sg:dos] null deref → [sg:dos] null deref [needs 1.9.0 landing]
Johnny: Can we get this landed on 1.9.0 asap?
(Assignee)

Comment 19

8 years ago
Fixed in CVS.
Keywords: fixed1.9.0.16

Updated

8 years ago
Keywords: checkin-needed
Whiteboard: [sg:dos] null deref [needs 1.9.0 landing] → [sg:dos] null deref
Verified fixed on 1.9.2 and 1.9.1 with builds on Linux and OS X:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2b3pre) Gecko/20091114 Namoroka/3.6b3pre ID:20091114033807

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.6pre) Gecko/20091108 Shiretoko/3.5.6pre ID:20091108030959
Keywords: verified1.9.1, verified1.9.2
Verified for 1.9.0.16 using Martijn's testcase with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.16pre) Gecko/2009111921 GranParadiso/3.0.16pre (.NET CLR 3.5.30729). Testcase crashes 1.9.0.15 on load on the same system.
Keywords: fixed1.9.0.16 → verified1.9.0.16
Crash Signature: [@ nsObjectLoadingContent::OnStartRequest]
You need to log in before you can comment on or make changes to this bug.