Closed Bug 747688 (CVE-2012-1940) Opened 12 years ago Closed 12 years ago

Heap-use-after-free in nsFrameList::FirstChild

Categories

(Core :: Layout, defect)

x86_64
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla15
Tracking Status
firefox13 + fixed
firefox14 + fixed
firefox15 --- verified
firefox-esr10 13+ fixed

People

(Reporter: inferno, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords, Whiteboard: [asan][sg:critical][advisory-tracking+][qa-])

Crash Data

Attachments

(4 files)

Attached file Testcase
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.162 Safari/535.19

Steps to reproduce:

Tested on Aurora 20120421074909
http://hg.mozilla.org/releases/mozilla-aurora/rev/6f27de794daa
and Trunk 20120419154942
http://hg.mozilla.org/mozilla-central/rev/c861d58b7ade

ASAN stack::
==18828== ERROR: AddressSanitizer heap-use-after-free on address 0x7fdb84d6bd80 at pc 0x7fdbafbd1f54 bp 0x7fffecab7970 sp 0x7fffecab7968
READ of size 8 at 0x7fdb84d6bd80 thread T0
    #0 0x7fdbafbd1f54 in nsFrameList::FirstChild() const /usr/local/google/home/aarya/firefox/aurora-src/modules/zlib/src/inffast.c:0
    #1 0x7fdb8ac27660 in  
0x7fdb84d6bd80 is located 0 bytes inside of 16-byte region [0x7fdb84d6bd80,0x7fdb84d6bd90)
freed by thread T0 here:
    #0 0x410dd2 in free ??:0
    #1 0x7fdbafd55b96 in operator delete(void*) /usr/local/google/home/aarya/firefox/aurora-src/../../dist/include/mozilla/mozalloc.h:253
    #2 0x2000007fdbaf8308
previously allocated by thread T0 here:
    #0 0x410e92 in malloc ??:0
    #1 0x7fdbb5469450 in moz_xmalloc /usr/local/google/home/aarya/firefox/aurora-src/memory/mozalloc/mozalloc.cpp:103
==18828== ABORTING
Stats: 162M malloced (161M for red zones) by 345347 calls
Stats: 43M realloced by 19180 calls
Stats: 131M freed by 228972 calls
Stats: 0M really freed by 0 calls
Stats: 356M (91189 full pages) mmaped in 89 calls
  mmaps   by size class: 8:262128; 9:57337; 10:20475; 11:16376; 12:3072; 13:2048; 14:1536; 15:384; 16:704; 17:224; 18:128; 19:56; 20:16;
  mallocs by size class: 8:254495; 9:49981; 10:18431; 11:15427; 12:2334; 13:1818; 14:1464; 15:381; 16:639; 17:199; 18:116; 19:49; 20:13;
  frees   by size class: 8:154593; 9:40949; 10:15619; 11:12669; 12:1671; 13:991; 14:1276; 15:335; 16:566; 17:185; 18:63; 19:45; 20:10;
  rfrees  by size class:
Stats: malloc large: 377 small slow: 1901
Shadow byte and word:
  0x1ffb709ad7b0: fd
  0x1ffb709ad7b0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ffb709ad790: fd fd fd fd fd fd fd fd
  0x1ffb709ad798: fd fd fd fd fd fd fd fd
  0x1ffb709ad7a0: fa fa fa fa fa fa fa fa
  0x1ffb709ad7a8: fa fa fa fa fa fa fa fa
=>0x1ffb709ad7b0: fd fd fd fd fd fd fd fd
  0x1ffb709ad7b8: fd fd fd fd fd fd fd fd
  0x1ffb709ad7c0: fa fa fa fa fa fa fa fa
  0x1ffb709ad7c8: fa fa fa fa fa fa fa fa
  0x1ffb709ad7d0: fd fd fd fd fd fd fd fd



Valgrind stack::

==19089== Invalid read of size 8
==19089==    at 0x85360B8: nsFrameList::FirstChild() const (nsFrameList.h:246)
==19089==    by 0x862C43C: nsOverflowContinuationTracker::Finish(nsIFrame*) (nsContainerFrame.cpp:1724)
==19089==    by 0x861FCF9: nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) (nsBlockReflowContext.cpp:333)
==19089==    by 0x8615899: nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) (nsBlockFrame.cpp:3202)
==19089==    by 0x8614071: nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) (nsBlockFrame.cpp:2511)
==19089==    by 0x8612C93: nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) (nsBlockFrame.cpp:2022)
==19089==    by 0x8610E7B: nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (nsBlockFrame.cpp:1071)
==19089==    by 0x862A824: nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) (nsContainerFrame.cpp:941)
==19089==    by 0x862774C: nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) (nsColumnSetFrame.cpp:704)
==19089==    by 0x8628575: nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (nsColumnSetFrame.cpp:1066)
==19089==    by 0x861FC1B: nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) (nsBlockReflowContext.cpp:295)
==19089==    by 0x8615899: nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) (nsBlockFrame.cpp:3202)
==19089==  Address 0x1de137f0 is 0 bytes inside a block of size 16 free'd
==19089==    at 0x4C2779F: free (vg_replace_malloc.c:427)
==19089==    by 0x69DF1A3: moz_free (mozalloc.cpp:81)
==19089==    by 0x862BA11: nsContainerFrame::RemovePropTableFrame(nsPresContext*, nsIFrame*, mozilla::FramePropertyDescriptor const*) (mozalloc.h:253)
==19089==    by 0x862B377: nsContainerFrame::StealFrame(nsPresContext*, nsIFrame*, bool) (nsContainerFrame.cpp:1226)
==19089==    by 0x861B7DA: nsBlockFrame::StealFrame(nsPresContext*, nsIFrame*, bool) (nsBlockFrame.cpp:5654)
==19089==    by 0x862B827: nsContainerFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) (nsContainerFrame.cpp:1372)
==19089==    by 0x861BC1B: nsBlockFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) (nsBlockFrame.cpp:5742)
==19089==    by 0x861FD2B: nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) (nsBlockReflowContext.cpp:335)
==19089==    by 0x8615899: nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) (nsBlockFrame.cpp:3202)
==19089==    by 0x8614071: nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) (nsBlockFrame.cpp:2511)
==19089==    by 0x8612C93: nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) (nsBlockFrame.cpp:2022)
==19089==    by 0x8610E7B: nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (nsBlockFrame.cpp:1071)
==19089==
OS: Windows 7 → All
Whiteboard: [asan]
Nicer version of ASAN Stack

=================================================================
==24249== ERROR: AddressSanitizer heap-use-after-free on address 0x7f66ca3da180 at pc 0x7f66f5af4930 bp 0x7fff35d1c610 sp 0x7fff35d1c608
READ of size 8 at 0x7f66ca3da180 thread T0
    #0 0x7f66f5af4930 in Enumerator aurora-src/layout/base/../generic/nsFrameList.h:367
    #1 0x7f66f6305e0f in nsOverflowContinuationTracker::Finish(nsIFrame*) aurora-src/layout/generic/nsContainerFrame.cpp:1725
    #2 0x7f66f62a43cf in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) aurora-src/layout/generic/nsBlockReflowContext.cpp:334
    #3 0x7f66f6243caf in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3202
    #4 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #5 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #6 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #7 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #8 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #9 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #10 0x7f66f62a3f2b in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) aurora-src/layout/generic/nsBlockReflowContext.cpp:295
    #11 0x7f66f6243caf in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3202
    #12 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #13 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #14 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #15 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #16 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #17 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #18 0x7f66f61fc0a0 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, nsHTMLReflowState const&, int, int, bool, nsIFrame*, unsigned int&, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:443
    #19 0x7f66f61f81b6 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, nsHTMLReflowState const&, unsigned int&, int, int, bool, bool, bool, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:158
    #20 0x7f66f637f15d in nsFrame::ReflowAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:4001
    #21 0x7f66f637e6f6 in nsFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:3966
    #22 0x7f66f64c438d in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsCanvasFrame.cpp:563
    #23 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #24 0x7f66f6442639 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) aurora-src/layout/generic/nsGfxScrollFrame.cpp:547
    #25 0x7f66f6447e4a in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) aurora-src/layout/generic/nsGfxScrollFrame.cpp:641
    #26 0x7f66f644c1bf in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsGfxScrollFrame.cpp:882
    #27 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #28 0x7f66f68113e6 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsViewportFrame.cpp:230
    #29 0x7f66f5f9c7e9 in PresShell::DoReflow(nsIFrame*, bool) aurora-src/layout/base/nsPresShell.cpp:7549
    #30 0x7f66f5fcb368 in PresShell::ProcessReflowCommands(bool) aurora-src/layout/base/nsPresShell.cpp:7690
    #31 0x7f66f5fc989f in PresShell::FlushPendingNotifications(mozFlushType) aurora-src/layout/base/nsPresShell.cpp:3999
    #32 0x7f66f5dd5d35 in DocumentViewerImpl::LoadComplete(unsigned int) aurora-src/layout/base/nsDocumentViewer.cpp:1018
    #33 0x7f66fccda193 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) aurora-src/docshell/base/nsDocShell.cpp:6164
    #34 0x7f66fccd2781 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) aurora-src/docshell/base/nsDocShell.cpp:6003
    #35 0x7f66fccd3965 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) aurora-src/modules/zlib/src/inffast.c:0
    #36 0x7f66fcdd08b4 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, unsigned int) aurora-src/uriloader/base/nsDocLoader.cpp:1384
    #37 0x7f66fcdce2c5 in nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned int) aurora-src/uriloader/base/nsDocLoader.cpp:962
    #38 0x7f66fcdc7458 in nsDocLoader::DocLoaderIsEmpty(bool) aurora-src/uriloader/base/nsDocLoader.cpp:854
    #39 0x7f66fcdcba7c in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) aurora-src/uriloader/base/nsDocLoader.cpp:736
    #40 0x7f66fcdcd5ed in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) aurora-src/modules/zlib/src/inffast.c:0
    #41 0x7f66f474e829 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) aurora-src/netwerk/base/src/nsLoadGroup.cpp:731
    #42 0x7f66f780ec54 in nsDocument::DoUnblockOnload() aurora-src/content/base/src/nsDocument.cpp:7255
    #43 0x7f66f780e6d1 in nsDocument::UnblockOnload(bool) aurora-src/content/base/src/nsDocument.cpp:7198
    #44 0x7f66f77c0f34 in nsDocument::DispatchContentLoadedEvents() aurora-src/content/base/src/nsDocument.cpp:4269
    #45 0x7f66f7871139 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() aurora-src/../../../dist/include/nsThreadUtils.h:345
    #46 0x7f66fff74f81 in nsThread::ProcessNextEvent(bool, bool*) aurora-src/xpcom/threads/nsThread.cpp:658
    #47 0x7f66ffc01bdd in NS_ProcessNextEvent_P(nsIThread*, bool) aurora-src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:245
    #48 0x7f66ff15a8c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) aurora-src/ipc/glue/MessagePump.cpp:110
    #49 0x7f670022ce3a in MessageLoop::RunInternal() aurora-src/ipc/chromium/src/base/message_loop.cc:209
    #50 0x7f670022cc83 in MessageLoop::RunHandler() aurora-src/ipc/chromium/src/base/message_loop.cc:202
    #51 0x7f670022cb68 in MessageLoop::Run() aurora-src/ipc/chromium/src/base/message_loop.cc:176
    #52 0x7f66fe6947fe in nsBaseAppShell::Run() aurora-src/widget/xpwidgets/nsBaseAppShell.cpp:191
    #53 0x7f66fd264098 in nsAppStartup::Run() aurora-src/toolkit/components/startup/nsAppStartup.cpp:295
    #54 0x7f66f4516323 in XRE_main aurora-src/toolkit/xre/nsAppRunner.cpp:3703
    #55 0x40a1f3 in do_main aurora-src/browser/app/nsBrowserApp.cpp:190
    #56 0x407d7e in main aurora-src/browser/app/nsBrowserApp.cpp:277
    #57 0x7f670c7afc4d in ?? ??:0
0x7f66ca3da180 is located 0 bytes inside of 16-byte region [0x7f66ca3da180,0x7f66ca3da190)
freed by thread T0 here:
    #0 0x42b972 in free ??:0
    #1 0x7f670ad18673 in moz_free aurora-src/memory/mozalloc/mozalloc.cpp:98
    #2 0x7f66f630e3f8 in nsContainerFrame::RemovePropTableFrame(nsPresContext*, nsIFrame*, mozilla::FramePropertyDescriptor const*) aurora-src/layout/generic/nsContainerFrame.cpp:1436
    #3 0x7f66f630d903 in nsContainerFrame::StealFrame(nsPresContext*, nsIFrame*, bool) aurora-src/layout/generic/nsContainerFrame.cpp:1226
    #4 0x7f66f62819d9 in nsBlockFrame::StealFrame(nsPresContext*, nsIFrame*, bool) aurora-src/layout/generic/nsBlockFrame.cpp:5654
    #5 0x7f66f630fe0f in nsContainerFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) aurora-src/layout/generic/nsContainerFrame.cpp:1372
    #6 0x7f66f6283b25 in nsBlockFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) aurora-src/layout/generic/nsBlockFrame.cpp:5743
    #7 0x7f66f62a44df in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) aurora-src/layout/generic/nsBlockReflowContext.cpp:337
    #8 0x7f66f6243caf in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3202
    #9 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #10 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #11 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #12 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #13 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #14 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #15 0x7f66f62a3f2b in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) aurora-src/layout/generic/nsBlockReflowContext.cpp:295
    #16 0x7f66f6243caf in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3202
    #17 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #18 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #19 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #20 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #21 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #22 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #23 0x7f66f61fc0a0 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, nsHTMLReflowState const&, int, int, bool, nsIFrame*, unsigned int&, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:443
    #24 0x7f66f61f81b6 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, nsHTMLReflowState const&, unsigned int&, int, int, bool, bool, bool, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:158
    #25 0x7f66f637f15d in nsFrame::ReflowAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:4001
    #26 0x7f66f637e6f6 in nsFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:3966
    #27 0x7f66f64c438d in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsCanvasFrame.cpp:563
    #28 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #29 0x7f66f6442639 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) aurora-src/layout/generic/nsGfxScrollFrame.cpp:547
previously allocated by thread T0 here:
    #0 0x42ba32 in malloc ??:0
    #1 0x7f670ad187c7 in moz_xmalloc aurora-src/memory/mozalloc/mozalloc.cpp:103
    #2 0x7f66f630bb6c in nsOverflowContinuationTracker::Insert(nsIFrame*, unsigned int&) aurora-src/layout/generic/nsContainerFrame.cpp:1671
    #3 0x7f66f62466ee in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3371
    #4 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #5 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #6 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #7 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #8 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #9 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #10 0x7f66f62a3f2b in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) aurora-src/layout/generic/nsBlockReflowContext.cpp:295
    #11 0x7f66f6243caf in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3202
    #12 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #13 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #14 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #15 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #16 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #17 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #18 0x7f66f61fc0a0 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, nsHTMLReflowState const&, int, int, bool, nsIFrame*, unsigned int&, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:443
    #19 0x7f66f61f81b6 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, nsHTMLReflowState const&, unsigned int&, int, int, bool, bool, bool, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:158
    #20 0x7f66f637f15d in nsFrame::ReflowAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:4001
    #21 0x7f66f637e6f6 in nsFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:3966
    #22 0x7f66f64c438d in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsCanvasFrame.cpp:563
==24249== ABORTING
Stats: 150M malloced (151M for red zones) by 326898 calls
Stats: 40M realloced by 18262 calls
Stats: 123M freed by 217083 calls
Stats: 0M really freed by 0 calls
Stats: 332M (85040 full pages) mmaped in 83 calls
  mmaps   by size class: 8:262128; 9:49146; 10:20475; 11:16376; 12:3072; 13:2048; 14:1536; 15:384; 16:640; 17:192; 18:96; 19:48; 20:16;
  mallocs by size class: 8:242208; 9:47151; 10:17027; 11:13982; 12:2117; 13:1706; 14:1419; 15:337; 16:612; 17:183; 18:95; 19:48; 20:13;
  frees   by size class: 8:147874; 9:38691; 10:14400; 11:11362; 12:1503; 13:893; 14:1239; 15:295; 16:546; 17:170; 18:56; 19:44; 20:10;
  rfrees  by size class:
Stats: malloc large: 339 small slow: 1780
Shadow byte and word:
  0x1fecd947b430: fd
  0x1fecd947b430: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fecd947b410: fd fd fd fd fd fd fd fd
  0x1fecd947b418: fd fd fd fd fd fd fd fd
  0x1fecd947b420: fa fa fa fa fa fa fa fa
  0x1fecd947b428: fa fa fa fa fa fa fa fa
=>0x1fecd947b430: fd fd fd fd fd fd fd fd
  0x1fecd947b438: fd fd fd fd fd fd fd fd
  0x1fecd947b440: fa fa fa fa fa fa fa fa
  0x1fecd947b448: fa fa fa fa fa fa fa fa
  0x1fecd947b450: fd fd fd fd fd fd fd fd
I can reproduce this on trunk.
Status: UNCONFIRMED → NEW
Component: Untriaged → Layout
Ever confirmed: true
Product: Firefox → Core
QA Contact: untriaged → layout
Version: 13 Branch → Trunk
Interestingly it does not seem to crash my local debug build.
I can't get this to happen on beta or release.  Alice, could you narrow down a regression range?
No crash:
http://hg.mozilla.org/mozilla-central/rev/9f29daaecbcc
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20111226 Firefox/12.0a1 ID:20111226031002
Crash:
http://hg.mozilla.org/mozilla-central/rev/838515a06d27
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20111226 Firefox/12.0a1 ID:20111226175818
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9f29daaecbcc&tochange=838515a06d27
Fixed range in beta channel
Crash:
http://hg.mozilla.org/releases/mozilla-beta/rev/e78e518d5269
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0 ID:20120328051619
No crash:
http://hg.mozilla.org/releases/mozilla-beta/rev/9bfe6330d055
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0 ID:20120403211507
Pushlog:
http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=e78e518d5269&tochange=9bfe6330d055
Thanks Alice!

Scott, can you dig in here?
Jesse might be interested in this from a fuzzing perspective.
Assignee: nobody → sjohnson
Attached file frame dump
We have an nsOverflowContinuationTracker tracking the
ExcessOverflowContainersList in this frame tree...
Assignee: sjohnson → matspal
Attached patch fixSplinter Review
nsOverflowContinuationTracker::Finish checks if the list it's tracking
will become empty (and thus deleted), it's doing this by checking for
a null next-sibling on the next-in-flow.  This isn't enough, there's also
the case that there's a next-sibling but it's also a next-in-flow and so
it will also be removed by the DeleteNextInFlowChild call.
(see frame dump above)

Try results pending:
https://tbpl.mozilla.org/?tree=Try&rev=49c76b1fef8e
Attachment #617908 - Flags: review?(roc)
This seems unlikely to be exploitable because nsFrameList doesn't have virtual
methods, and it has only has two members, both nsIFrame* and using those should
be covered by frame poisoning.  The other nsOverflowContinuationTracker members
that might be stale are also nsIFrame*.
Actually, since nsFrameList is heap-allocated rather than in our presshell arena,
its members might point to arbitrary memory so that would still be exploitable.
It still seems rather unlikely since there would be very few (if any) heap
allocations from the time DeleteNextInFlowChild is done, until we unwind to the
nsOverflowContinuationTracker call (at least on the main thread).
(perhaps this bug tips bug 729519 over the edge to actually be worth it)
Mats, do you understand why this crashes release builds but not debug builds?
Based upon the tracking nom, I'm assuming yes, but I'll ask anyway.

At this point, are we concerned enough with this being an sg:high/crit bug to land a fix FF13's release?
Attachment #617267 - Attachment mime type: text/plain → text/html
This bug is not a regression from bug 695222, we just got lucky(?) that it changed layout in a way that allowed inferno's fuzzer to trigger it. The original testcase in the bug no longer triggers the problem so a new testcase would be useful for verification and to add to the regression testsuite. Maybe Mats has some ideas on what would set up the necessary conditions?

The nsOverflowContinuationTracker::Finish code looks like it goes back quite a ways, to bug 422283. So much has changed in layout since then that I don't know if this has been a problem the whole time, but it's probably safe to assume the ESR-10 branch ought to be patched.
https://hg.mozilla.org/integration/mozilla-inbound/rev/0cb419f67ab7
Flags: in-testsuite?
Target Milestone: --- → mozilla15
(In reply to Daniel Veditz [:dveditz] from comment #20)
> The original testcase in the bug no longer triggers the problem

Fwiw, it still crash my ASAN build on Linux64.  So I think it's still
valuable as a crash test even though it might not crash non-ASAN builds
currently.

> Maybe Mats has some ideas on what would set up the necessary
> conditions?

Guessing: column layout with abs.pos. blocks children, in a container
that changes size causing the abs.pos. children to move to a different
column?

> The nsOverflowContinuationTracker::Finish code looks like it goes back quite
> a ways, to bug 422283. So much has changed in layout since then that I don't
> know if this has been a problem the whole time, but it's probably safe to
> assume the ESR-10 branch ought to be patched.

I think the bug was there all the time, but it might be recent abs.pos. containing
block changes that made it possible to trigger, I don't know (I don't have ASAN
branch builds), I think we should take this on all branches, just in case.  It's a
quite low-risk patch.
https://hg.mozilla.org/mozilla-central/rev/0cb419f67ab7
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Keywords: sec-critical
Whiteboard: [asan] → [asan][sg:critical]
Please request branch and ESR approvals on this patch. Only a couple of weeks to get this in.
Comment on attachment 617908 [details] [diff] [review]
fix

[Approval Request Comment]
Regression caused by (bug #): 
User impact if declined: sg:crit crash
Testing completed (on m-c, etc.): on m-c since 2012-05-04
Risk to taking this patch (and alternatives if risky): fairly simple code
change, but the code involved is complex so that adds to the risk
String changes made by this patch: none
Attachment #617908 - Flags: approval-mozilla-beta?
Attachment #617908 - Flags: approval-mozilla-aurora?
Comment on attachment 617908 [details] [diff] [review]
fix

approving - will we need a separate patch for ESR or can this patch get ESR nom?

also, what can QA look for in terms of verifying/checking for regressions?
Attachment #617908 - Flags: approval-mozilla-beta?
Attachment #617908 - Flags: approval-mozilla-beta+
Attachment #617908 - Flags: approval-mozilla-aurora?
Attachment #617908 - Flags: approval-mozilla-aurora+
Comment on attachment 617908 [details] [diff] [review]
fix

This patch also applies to ESR.
Attachment #617908 - Flags: approval-mozilla-esr10?
>also, what can QA look for in terms of verifying/checking for regressions?

For testing, see comment 22.  Hopefully, the crash signature 
nsOverflowContinuationTracker::Finish should go away.
(for example bp-eca8998b-a155-4501-bb4e-eb6ae2120502)
I'm afraid any regressions would only show up as new crashes in layout code.
Crash Signature: nsOverflowContinuationTracker::Finish
Comment on attachment 617908 [details] [diff] [review]
fix

this is in beta now, so approved for ESR as well.
Attachment #617908 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Can someone please clarify what is required for QA to verify this fix? Specifically, is the attached testcase sufficient? and where can we get ASAN builds for Firefox 13, 14, 15, and latest-mozilla-esr10?
Whiteboard: [asan][sg:critical] → [asan][sg:critical][qa+]
Whiteboard: [asan][sg:critical][qa+] → [asan][sg:critical][qa+][advisory-tracking+]
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #33)
> Can someone please clarify what is required for QA to verify this fix?

See comment 29 / 22.

> Specifically, is the attached testcase sufficient?

Yes, but you need ASAN builds.

> and where can we get ASAN
> builds for Firefox 13, 14, 15, and latest-mozilla-esr10?

I think you have to build them yourself.
https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer
Severity: normal → critical
Keywords: crash
(In reply to Mats Palmgren [:mats] from comment #34)
> I think you have to build them yourself.
> https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer

Is it possible to do this for Beta and ESR, which is what I'm immediately interested in. I'm hearing via email that *may* be possible for Beta and *may not* for ESR.
I don't know.
Alias: CVE-2012-1940
Doesn't comment 7 mean that it wouldn't happen in current beta?
(In reply to Naoki Hirata :nhirata from comment #37)
> Doesn't comment 7 mean that it wouldn't happen in current beta?

That was for Firefox 12 Beta, not Firefox 13 Beta.
Verified fixed in an ASAN build I made from mozilla-central tip. Unfortunately, for the time being we will not be able to verify this fixed in Beta 13 / ESR 13. Untracking for QA until this changes.
Status: RESOLVED → VERIFIED
Whiteboard: [asan][sg:critical][qa+][advisory-tracking+] → [asan][sg:critical][advisory-tracking+]
qa- as per comment 39.
Whiteboard: [asan][sg:critical][advisory-tracking+] → [asan][sg:critical][advisory-tracking+][qa-]
Group: core-security
Crash test:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c92a2293ad18
Flags: in-testsuite? → in-testsuite+
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.