Closed Bug 795740 Opened 8 years ago Closed 8 years ago

Heap-buffer-overflow in nsMappedAttributes::GetAttr

Categories

(Core :: SVG, defect)

x86_64
All
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 795734
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 + fixed
firefox19 + fixed
firefox-esr10 - unaffected

People

(Reporter: inferno, Assigned: jwatt)

References

Details

(5 keywords, Whiteboard: [asan][fix in bug 807213][adv-main18-])

Attachments

(2 files)

Attached file Testcase
Reproduces on trunk.

=================================================================
==30432== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fce25491bb0 at pc 0x7fce50e73144 bp 0x7fff374f4370 sp 0x7fff374f4368
READ of size 8 at 0x7fce25491bb0 thread T0
    #0 0x7fce50e73143 in nsAttrName::Equals(nsIAtom*) const src/content/base/src/nsAttrName.h:107
    #1 0x7fce514afb59 in nsMappedAttributes::GetAttr(nsIAtom*) const src/content/base/src/nsMappedAttributes.cpp:112
    #2 0x7fce50e72546 in nsAttrAndChildArray::GetAttr(nsIAtom*, int) const src/content/base/src/nsAttrAndChildArray.cpp:308
    #3 0x7fce513e8ba7 in nsGenericElement::AttrValueIs(int, nsIAtom*, nsAString_internal const&, nsCaseTreatment) const src/content/base/src/nsGenericElement.cpp:2180
    #4 0x7fce5437f54c in nsEditor::IsMozEditorBogusNode(nsIContent*) src/editor/libeditor/base/nsEditor.cpp:3752
    #5 0x7fce542deb6d in nsTextEditRules::CreateBogusNodeIfNeeded(nsISelection*) src/editor/libeditor/text/nsTextEditRules.cpp:1105
    #6 0x7fce54a4b38f in nsHTMLEditRules::DocumentModifiedWorker() src/editor/libeditor/html/nsHTMLEditRules.cpp:8850
    #7 0x7fce54a4c35e in nsRunnableMethodImpl<void (nsHTMLEditRules::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:349
    #8 0x7fce50feac4c in nsContentUtils::RemoveScriptBlocker() src/content/base/src/nsContentUtils.cpp:5021
    #9 0x7fce4f55b35e in ~nsAutoScriptBlocker src/../../../dist/include/nsContentUtils.h:2275
    #10 0x7fce4f5450a6 in ~nsAutoScriptBlocker src/../../../dist/include/nsContentUtils.h:2274
    #11 0x7fce51205af5 in nsDocument::AdoptNode(nsIDOMNode*, nsIDOMNode**) src/content/base/src/nsDocument.cpp:6371
    #12 0x7fce56486cd6 in nsIDOMDocument_AdoptNode(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:3452
    #13 0x7fce618efd9f in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:370
    #14 0x7fce61891b79 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2460
    #15 0x7fce617ddaee in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:324
    #16 0x7fce618fd566 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:509
    #17 0x7fce618ff2fb in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:546
    #18 0x7fce61012289 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5679
    #19 0x7fce53329dee in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1506
    #20 0x7fce534e2b76 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9621
    #21 0x7fce5349a6c4 in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:9880
    #22 0x7fce534e0a28 in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10147
    #23 0x7fce5b057972 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:473
    #24 0x7fce5b058e7a in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:556
    #25 0x7fce5b01c580 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:612
    #26 0x7fce5acaeecb in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #27 0x7fce596f83b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #28 0x7fce5b2d4e11 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208
    #29 0x7fce5b2d4c46 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201
    #30 0x7fce5b2d4b2b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175
    #31 0x7fce58b9fdda in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
    #32 0x7fce577d29b4 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290
    #33 0x7fce4de45a4d in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3782
    #34 0x7fce4de4b8c5 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3848
    #35 0x7fce4de4e774 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3923
    #36 0x40d013 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174
    #37 0x40a755 in main src/browser/app/nsBrowserApp.cpp:279
    #38 0x7fce6bd43c4c in ?? ??:0
0x7fce25491bb0 is located 0 bytes to the right of 48-byte region [0x7fce25491b80,0x7fce25491bb0)
allocated by thread T0 here:
    #0 0x4c4bb0 in __interceptor_malloc ??:0
    #1 0x7fce68bcf6da in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:57
    #2 0x7fce514adde9 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200
    #3 0x7fce514adad7 in nsMappedAttributes::Clone(bool) src/content/base/src/nsMappedAttributes.cpp:59
    #4 0x7fce50e79a9c in nsAttrAndChildArray::GetModifiableMapped(nsMappedAttributeElement*, nsHTMLStyleSheet*, bool) src/content/base/src/nsAttrAndChildArray.cpp:698
    #5 0x7fce50e7e00d in nsAttrAndChildArray::DoSetMappedAttrStyleSheet(nsHTMLStyleSheet*) src/content/base/src/nsAttrAndChildArray.cpp:582
    #6 0x7fce513d6792 in nsAttrAndChildArray::SetMappedAttrStyleSheet(nsHTMLStyleSheet*) src/content/base/src/nsAttrAndChildArray.h:103
    #7 0x7fce513d44a7 in nsGenericElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/base/src/nsGenericElement.cpp:1429
    #8 0x7fce52234a18 in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:1717
    #9 0x7fce51443e7d in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) src/content/base/src/nsINode.cpp:1305
    #10 0x7fce5177e9fa in mozilla::dom::FragmentOrElement::InsertChildAt(nsIContent*, unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:998
    #11 0x7fce4f3a9abd in nsINode::AppendChildTo(nsIContent*, bool) src/../../../dist/include/nsINode.h:546
    #12 0x7fce5467bed0 in nsHtml5TreeOperation::Append(nsIContent*, nsIContent*, nsHtml5TreeOpExecutor*) src/parser/html/nsHtml5TreeOperation.cpp:184
    #13 0x7fce5467ff55 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:233
    #14 0x7fce546a2b75 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:564
    #15 0x7fce546df259 in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:127
    #16 0x7fce5b01c580 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:612
    #17 0x7fce5acaeecb in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #18 0x7fce596f83b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #19 0x7fce5b2d4e11 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208
    #20 0x7fce5b2d4c46 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201
    #21 0x7fce5b2d4b2b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175
    #22 0x7fce58b9fdda in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
    #23 0x7fce577d29b4 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290
    #24 0x7fce4de45a4d in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3782
Shadow byte and word:
  0x1ff9c4a92376: fb
  0x1ff9c4a92370: 00 00 00 00 00 00 fb fb
More shadow bytes:
  0x1ff9c4a92350: 00 00 00 00 00 00 fb fb
  0x1ff9c4a92358: fb fb fb fb fb fb fb fb
  0x1ff9c4a92360: fa fa fa fa fa fa fa fa
  0x1ff9c4a92368: fa fa fa fa fa fa fa fa
=>0x1ff9c4a92370: 00 00 00 00 00 00 fb fb
  0x1ff9c4a92378: fb fb fb fb fb fb fb fb
  0x1ff9c4a92380: fa fa fa fa fa fa fa fa
  0x1ff9c4a92388: fa fa fa fa fa fa fa fa
  0x1ff9c4a92390: 00 00 00 00 00 00 fb fb
Stats: 248M malloced (291M for red zones) by 513062 calls
Stats: 42M realloced by 23898 calls
Stats: 215M freed by 285981 calls
Stats: 82M really freed by 202117 calls
Stats: 472M (120918 full pages) mmaped in 118 calls
  mmaps   by size class: 8:311277; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:256; 16:1024; 17:1248; 18:144; 19:40; 20:20;
  mallocs by size class: 8:446029; 9:33587; 10:8439; 11:16310; 12:2367; 13:1796; 14:1471; 15:340; 16:1191; 17:1317; 18:154; 19:41; 20:20;
  frees   by size class: 8:235584; 9:24655; 10:5273; 11:13220; 12:1573; 13:1503; 14:1288; 15:297; 16:1128; 17:1300; 18:105; 19:38; 20:17;
  rfrees  by size class: 8:180868; 9:8332; 10:1728; 11:8347; 12:548; 13:471; 14:415; 15:177; 16:931; 17:271; 18:24; 19:4; 20:1;
Stats: malloc large: 1532 small slow: 2427
==30432== ABORTING
Attached file stack
A Linux64 debug build aborts the test with:
###!!! ABORT: Passed bad frame!: 'aFrame->IsFrameOfType(nsIFrame::eSVG) && !(aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG)', file layout/svg/nsSVGUtils.cpp, line 385
Looks similar to bug 792857.
Severity: normal → critical
Component: General → SVG
Depends on: CVE-2012-5836
Product: Firefox → Core
Whiteboard: [asan]
Can i be cced on 792857
Assignee: nobody → jwatt
I have a fix for this in bug 807213.
Whiteboard: [asan] → [asan][fix in bug 807213]
The fix in bug 807213 has now landed for 19, 18 and 17.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: in-testsuite?
Keywords: verifyme
Resolution: --- → FIXED
(In reply to Jonathan Watt [:jwatt] from comment #5)
> The fix in bug 807213 has now landed for 19, 18 and 17.

Is the ESR affected by this bug? If so, please prepare a patch and nominate for uplift.
(Matt will take a look at this along with 802638 to see if we can repro on ESR10)
QA Contact: mwobensmith
Is 16 affected by this or was this 17 and up only?
Whiteboard: [asan][fix in bug 807213] → [asan][fix in bug 807213][adv-track-main17+]
Confirmed crash in 2012-9-30, nightly build 19.0a1
Confirmed fixed in 2012-11-6, nightly build 19.0a1
Confirmed NO crash in 2012-10-24, build 10.0.10esr
Mac 10.8.2, Windows 7 and Ubuntu 11.10
Depends on: 807213
Flags: sec-bounty?
bug 807213 says 17 fixed and this one says 17 unaffected. Color me confused.
It was checked in on 17 since, although this bug may not be reproducible on 17, there's the potential for the underlying issue fixed in bug 807213 to be exploitable in other (currently unknown) ways.
This bug is essentially a duplicate of bug 795734, or at least both stem from the same cause: using a frame as the wrong type without checking.

Checking in a testcase for this manifestation would still be useful
No longer depends on: CVE-2012-5836
Flags: sec-bounty? → sec-bounty-
Resolution: FIXED → DUPLICATE
Duplicate of bug: 795734
Whiteboard: [asan][fix in bug 807213][adv-track-main17+] → [asan][fix in bug 807213][adv-main18-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.