If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Out of bounds READ in nsRegion::Or

RESOLVED FIXED

Status

()

Core
SVG
--
critical
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: Abhishek Arya, Assigned: jwatt)

Tracking

(6 keywords)

unspecified
x86_64
All
assertion, crash, regression, reproducible, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +
in-testsuite ?

Firefox Tracking Flags

(firefox16 unaffected, firefox17 unaffected, firefox18+ fixed, firefox19+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [asan][fix in bug 807213][adv-main18+])

Attachments

(4 attachments)

(Reporter)

Description

5 years ago
Created attachment 666347 [details]
Testcase

Reproduces on trunk
=================================================================
==26893== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f0296c82090 at pc 0x7f02bcb74d01 bp 0x7fff904f2d10 sp 0x7fff904f2d08
READ of size 4 at 0x7f0296c82090 thread T0
    #0 0x7f02bcb74d00 in nsRegion::Or(nsRegion const&, nsRegion const&) src/gfx/src/nsRegion.cpp:776
    #1 0x7f02c2d6edac in nsSVGOuterSVGFrame::InvalidateSVG(nsRegion const&) src/layout/svg/nsSVGOuterSVGFrame.h:150
    #2 0x7f02c2dc5582 in nsSVGUtils::InvalidateBounds(nsIFrame*, bool, nsRect const*, unsigned int) src/layout/svg/nsSVGUtils.cpp:490
    #3 0x7f02c2dc6043 in nsSVGUtils::InvalidateAndScheduleReflowSVG(nsIFrame*) src/layout/svg/nsSVGUtils.cpp:572
    #4 0x7f02c2c8a9f9 in nsSVGMarkerProperty::DoUpdate() src/layout/svg/nsSVGEffects.cpp:282
    #5 0x7f02c2c898f6 in nsSVGRenderingObserver::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, int, nsIContent*) src/layout/svg/nsSVGEffects.cpp:223
    #6 0x7f02bed8ffe9 in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, int, nsIContent*) src/content/base/src/nsNodeUtils.cpp:177
    #7 0x7f02beceb2c4 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) src/content/base/src/nsINode.cpp:1364
    #8 0x7f02bf023e0c in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:1008
    #9 0x7f02becd3a47 in nsINode::RemoveChild(nsINode*) src/content/base/src/nsINode.cpp:455
    #10 0x7f02c3d75681 in nsIDOMNode_RemoveChild(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:5476
    #11 0x7f02cf194d9f in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:370
    #12 0x7f02cf136b79 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2460
    #13 0x7f02cf082aee in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:324
    #14 0x7f02cf1a2566 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:509
    #15 0x7f02cf1a42fb in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:546
    #16 0x7f02ce8b7289 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5679
    #17 0x7f02c0bcedee in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1506
    #18 0x7f02c0d87b76 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9621
    #19 0x7f02c0d3f6c4 in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:9880
    #20 0x7f02c0d85a28 in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10147
    #21 0x7f02c88fc972 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:473
    #22 0x7f02c88fde7a in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:556
    #23 0x7f02c88c1580 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:612
    #24 0x7f02c8553ecb in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #25 0x7f02c6f9da1d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:117
    #26 0x7f02c8b79e11 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208
    #27 0x7f02c8b79c46 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201
    #28 0x7f02c8b79b2b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175
    #29 0x7f02c6444dda in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
    #30 0x7f02c50779b4 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290
    #31 0x7f02bb6eaa4d in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3782
    #32 0x7f02bb6f08c5 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3848
    #33 0x7f02bb6f3774 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3923
    #34 0x40d013 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174
    #35 0x40a755 in main src/browser/app/nsBrowserApp.cpp:279
    #36 0x7f02d95e8c4c in ?? ??:0
0x7f0296c82090 is located 16 bytes to the right of 8192-byte region [0x7f0296c80080,0x7f0296c82080)
allocated by thread T0 here:
    #0 0x4c4bb0 in __interceptor_malloc ??:0
    #1 0x7f02d8636fc1 in PR_Malloc src/nsprpub/pr/src/malloc/prmem.c:435
    #2 0x7f02d7d69bb5 in PL_ArenaAllocate src/nsprpub/lib/ds/plarena.c:200
    #3 0x7f02bd13cbd0 in nsPresArena::State::Allocate(unsigned int, unsigned long) src/layout/base/nsPresArena.cpp:342
    #4 0x7f02bd13dada in nsPresArena::AllocateByFrameID(nsQueryFrame::FrameIID, unsigned long) src/layout/base/nsPresArena.cpp:512
    #5 0x7f02bd32e5c0 in nsIPresShell::AllocateFrame(nsQueryFrame::FrameIID, unsigned long) src/layout/svg/../base/nsIPresShell.h:202
    #6 0x7f02be3f53ff in nsScrollbarButtonFrame::operator new(unsigned long, nsIPresShell*) src/layout/xul/base/src/nsScrollbarButtonFrame.cpp:39
    #7 0x7f02be3f51ce in NS_NewScrollbarButtonFrame(nsIPresShell*, nsStyleContext*) src/layout/xul/base/src/nsScrollbarButtonFrame.cpp:36
    #8 0x7f02bcd6c4a7 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3623
    #9 0x7f02bcd84fd9 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5555
    #10 0x7f02bcd3d4db in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9818
    #11 0x7f02bcd3f9f4 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:9962
    #12 0x7f02bcd6edc2 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3748
    #13 0x7f02bcd84fd9 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5555
    #14 0x7f02bcd739f1 in nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5068
    #15 0x7f02bcd6067c in nsCSSFrameConstructor::CreateAnonymousFrames(nsFrameConstructorState&, nsIContent*, nsIFrame*, PendingBinding*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3865
    #16 0x7f02bcd57416 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, nsIAtom*, bool, nsIFrame*&) src/layout/base/nsCSSFrameConstructor.cpp:4244
    #17 0x7f02bcd4ebde in nsCSSFrameConstructor::SetUpDocElementContainingBlock(nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:2763
    #18 0x7f02bcd49bc5 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*, nsIFrame**) src/layout/base/nsCSSFrameConstructor.cpp:2304
    #19 0x7f02bcd9f887 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) src/layout/base/nsCSSFrameConstructor.cpp:6964
    #20 0x7f02bcd9c33e in nsCSSFrameConstructor::ContentInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) src/layout/base/nsCSSFrameConstructor.cpp:6849
    #21 0x7f02bd1c5e9f in PresShell::Initialize(int, int) src/layout/base/nsPresShell.cpp:1689
    #22 0x7f02be7ebce9 in nsContentSink::StartLayout(bool) src/content/base/src/nsContentSink.cpp:1181
    #23 0x7f02c1f4d64e in nsHtml5TreeOpExecutor::StartLayout() src/parser/html/nsHtml5TreeOpExecutor.cpp:744
    #24 0x7f02c1f309f2 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:631
Shadow byte and word:
  0x1fe052d90412: fa
  0x1fe052d90410: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x1fe052d903f0: 00 00 00 00 00 00 00 00
  0x1fe052d903f8: 00 00 00 00 00 00 00 00
  0x1fe052d90400: 00 00 00 00 00 00 00 00
  0x1fe052d90408: 00 00 00 00 00 00 00 00
=>0x1fe052d90410: fa fa fa fa fa fa fa fa
  0x1fe052d90418: fa fa fa fa fa fa fa fa
  0x1fe052d90420: fa fa fa fa fa fa fa fa
  0x1fe052d90428: fa fa fa fa fa fa fa fa
  0x1fe052d90430: fa fa fa fa fa fa fa fa
Stats: 241M malloced (265M for red zones) by 401391 calls
Stats: 41M realloced by 23511 calls
Stats: 213M freed by 282141 calls
Stats: 79M really freed by 201165 calls
Stats: 468M (119893 full pages) mmaped in 117 calls
  mmaps   by size class: 8:311277; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:256; 16:1024; 17:1248; 18:128; 19:40; 20:20;
  mallocs by size class: 8:336578; 9:32473; 10:8076; 11:15816; 12:2271; 13:1709; 14:1445; 15:331; 16:1173; 17:1311; 18:148; 19:40; 20:20;
  frees   by size class: 8:233306; 9:24000; 10:5004; 11:12793; 12:1486; 13:1426; 14:1266; 15:290; 16:1115; 17:1295; 18:105; 19:38; 20:17;
  rfrees  by size class: 8:180637; 9:7797; 10:1702; 11:8272; 12:534; 13:457; 14:394; 15:176; 16:930; 17:237; 18:24; 19:4; 20:1;
Stats: malloc large: 1519 small slow: 2174
==26893== ABORTING
(Reporter)

Comment 1

5 years ago
Created attachment 666348 [details]
Testcase

This looks like a new regression, that is hitting a crazy lot.

=================================================================
==27385== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f89bcae8190 at pc 0x7f89e6f68cff bp 0x7fffa9454750 sp 0x7fffa9454748
READ of size 8 at 0x7f89bcae8190 thread T0
    #0 0x7f89e6f68cfe in nsRegion::RgnRect::RgnRect(nsRegion::RgnRect const&) /usr/local/google/home/aarya/firefox/src/gfx/src/nsRegion.h:48
    #1 0x7f89e6f318bb in nsRegion::RgnRect::RgnRect(nsRegion::RgnRect const&) /usr/local/google/home/aarya/firefox/src/gfx/src/nsRegion.h:48
    #2 0x7f89e6f301a6 in nsRegion::Merge(nsRegion const&, nsRegion const&) /usr/local/google/home/aarya/firefox/src/gfx/src/nsRegion.cpp:526
    #3 0x7f89e6f37f91 in nsRegion::Or(nsRegion const&, nsRegion const&) /usr/local/google/home/aarya/firefox/src/gfx/src/nsRegion.cpp:784
    #4 0x7f89ed131dac in nsSVGOuterSVGFrame::InvalidateSVG(nsRegion const&) /usr/local/google/home/aarya/firefox/src/layout/svg/nsSVGOuterSVGFrame.h:150
Created attachment 666362 [details]
stack + assertions for 1st testcase

A Linux64 debug build aborts the 1st test with:
###!!! ABORT: Passed bad frame!: 'aFrame->IsFrameOfType(nsIFrame::eSVG) && !(aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG)', file layout/svg/nsSVGUtils.cpp, line 385
Created attachment 666363 [details]
stack for 2nd testcase

Same abort for the 2nd testcase.
Looks similar to bug 792857.  Once that bug is fixed we should investigate
if the assertions in the 1st test is a separate problem:
###!!! ASSERTION: Shouldn't be trying to restyle non-elements directly: '!aContent || aContent->IsElement()', file layout/base/nsStyleChangeList.cpp, line 65
###!!! ASSERTION: aFrame's content should be an element: 'aFrame->GetContent()->IsElement()', file layout/svg/nsSVGEffects.cpp, line 480
Severity: normal → critical
Component: General → SVG
Depends on: 792857
Keywords: assertion, crash, reproducible, testcase
Product: Firefox → Core
Whiteboard: [asan]
Version: Trunk → unspecified
(Reporter)

Comment 5

5 years ago
I think this and https://bugzilla.mozilla.org/show_bug.cgi?id=795740 and many other different stacks i am seeing all have svg markers in common. I think something regressed there really badly and crashing all over the place.
Keywords: sec-critical
Abhishek: we did land "DBLI" that has regressed a bunch of stuff since late September -- that explains some of these bugs, but not ones like bug 792857 that existed in Firefox 15 (and maybe before?)
(Reporter)

Comment 7

5 years ago
(In reply to Daniel Veditz [:dveditz] from comment #6)
> Abhishek: we did land "DBLI" that has regressed a bunch of stuff since late
> September -- that explains some of these bugs, but not ones like bug 792857
> that existed in Firefox 15 (and maybe before?)

Sorry, what is DBLI ? Yes, all these regressions were new, in fact, i had to disable svg markers to turn the noise down.
DLBI is bug 539356.

This stack looks very similar to the one in bug 798010, and the timing for this one is right for it to also be a regression from dlbi, so it could be dupe of this one. The second test case here looks vaguely similar
Assignee: nobody → jwatt
Blocks: 539356
status-firefox-esr10: --- → unaffected
status-firefox17: --- → unaffected
status-firefox18: --- → affected
status-firefox19: --- → affected
tracking-firefox18: --- → +
tracking-firefox19: --- → +
Keywords: regression
Actually we don't know that 17 is unaffected yet
No longer blocks: 539356
status-firefox17: unaffected → ---
Keywords: regression
(In reply to Andrew McCreight [:mccr8] from comment #8)
> This stack looks very similar to the one in bug 798010, and the timing for
> this one is right for it to also be a regression from dlbi

Or a pre-existing issue that is more likely to happen because dlbi changed the order or timing of something...
I have a fix for this in bug 807213.
Whiteboard: [asan] → [asan][fix in bug 807213]
The fix in bug 807213 has now landed for 19, 18 and 17.
status-firefox17: --- → fixed
status-firefox18: affected → fixed
status-firefox19: affected → fixed
Flags: in-testsuite?
Keywords: verifyme
(Assignee)

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Is 16 unaffected by this bug?
Whiteboard: [asan][fix in bug 807213] → [asan][fix in bug 807213][adv-track-main17+]
(Assignee)

Updated

5 years ago
status-firefox16: --- → unaffected
status-firefox17: fixed → unaffected
Flags: sec-bounty?
Summary: Heap-buffer-overflow in nsRegion::Or → Out of bounds READ in nsRegion::Or

Comment 15

5 years ago
(In reply to Al Billings [:abillings] from comment #14)
> Is 16 unaffected by this bug?

yes.
This bug qualifies for a security bug bounty.
Depends on: 807213
No longer depends on: 792857
Flags: sec-bounty? → sec-bounty+
Duplicate of this bug: 795740
Duplicate of this bug: 798010
Whiteboard: [asan][fix in bug 807213][adv-track-main17+] → [asan][fix in bug 807213][adv-main17+]
Whiteboard: [asan][fix in bug 807213][adv-main17+] → [asan][fix in bug 807213][adv-main18+]
Alias: CVE-2013-0764
Duplicate of this bug: 802638
Alias: CVE-2013-0764
Group: core-security
Blocks: 539356
Keywords: regression
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.