Closed Bug 798691 (CVE-2013-0777) Opened 12 years ago Closed 12 years ago

Heap-use-after-free in nsDisplayBoxShadowOuter::Paint

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla19
Tracking Flags:
Tracking Status
firefox19 --- fixed
firefox-esr10 --- wontfix
firefox-esr17 --- wontfix
b2g18 --- wontfix

People

(Reporter: inferno, Assigned: MatsPalmgren_bugz)

Details

(Keywords: crash, csectype-uaf, sec-moderate, Whiteboard: [asan][adv-main19+])

Attachments

(3 files)

stacks etc
21.30 KB, text/html
Details
fix
1.83 KB, patch
roc
: review+
Details | Diff | Splinter Review
additional fix
1.56 KB, patch
roc
: review+
Details | Diff | Splinter Review
Reproduces on trunk. Steps 1. Visit http://ie.microsoft.com/testdrive/Graphics/HP 2. Open print dialog using ctrl+p 3. Select any printer and enter. ================================================================= ==6937== ERROR: AddressSanitizer heap-use-after-free on address 0x7f95d27c5080 at pc 0x42f6b6 bp 0x7fff2af037f0 sp 0x7fff2af02fb8 WRITE of size 1 at 0x7f95d27c5080 thread T0 #0 0x42f6b5 in memcpy ??:? #1 0x7f96206d4df8 in _cairo_surface_snapshot_copy_on_write gfx/cairo/cairo/src/cairo-surface-snapshot.c:140 #2 0x7f961d4cbead in nsDisplayBoxShadowOuter::Paint(nsDisplayListBuilder*, nsRenderingContext*) layout/base/nsDisplayList.cpp:2294 #3 0x7f961d403091 in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:3238 #4 0x7f96204b53ff in mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicThebesLayer.cpp:139 #5 0x7f9620497455 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:822 #6 0x7f9620494f8a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:931 #7 0x7f9620497295 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:838 #8 0x7f9620494f8a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:931 #9 0x7f9620497295 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:838 #10 0x7f9620494f8a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:931 #11 0x7f96204922b9 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:589 #12 0x7f961d4ba9fb in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const layout/base/nsDisplayList.cpp:1098 #13 0x7f961d4b9751 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const layout/base/nsDisplayList.cpp:966 #14 0x7f961d531253 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:1835 #15 0x7f961d79c4e7 in nsSimplePageSequenceFrame::PrintNextPage() layout/generic/nsSimplePageSequence.cpp:763 #16 0x7f961ec11ef3 in nsPrintEngine::PrintPage(nsPrintObject*, bool&) layout/printing/nsPrintEngine.cpp:2824 #17 0x7f961ec177d3 in nsPagePrintTimer::Run() layout/printing/nsPagePrintTimer.cpp:87 #18 0x7f96202d4251 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612 #19 0x7f962020d073 in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:220 #20 0x7f961fdd1ce0 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82 #21 0x7f962036281b in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:208 #22 0x7f961faccb0d in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:163 #23 0x7f961cdb82c4 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3848 #24 0x7f961cdb939a in XRE_main toolkit/xre/nsAppRunner.cpp:3923 #25 0x408d05 in do_main(int, char**) browser/app/nsBrowserApp.cpp:174 #26 0x7f962681976c in ?? ??:0 0x7f95d27c5080 is located 0 bytes inside of 6844-byte region [0x7f95d27c5080,0x7f95d27c6b3c) freed by thread T0 here: #0 0x432d90 in __interceptor_free ??:? #1 0x7f96203c22e6 in ~gfxAlphaBoxBlur gfx/thebes/gfxBlur.cpp:23 #2 0x7f961d4cbead in nsDisplayBoxShadowOuter::Paint(nsDisplayListBuilder*, nsRenderingContext*) layout/base/nsDisplayList.cpp:2294 #3 0x7f961d403091 in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:3238 #4 0x7f96204b53ff in mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicThebesLayer.cpp:139 #5 0x7f9620497455 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:822 #6 0x7f9620494f8a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:931 #7 0x7f9620497295 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:838 #8 0x7f9620494f8a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:931 #9 0x7f9620497295 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:838 #10 0x7f9620494f8a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:931 #11 0x7f96204922b9 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:589 #12 0x7f961d4ba9fb in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const layout/base/nsDisplayList.cpp:1098 #13 0x7f961d4b9751 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const layout/base/nsDisplayList.cpp:966 #14 0x7f961d531253 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:1835 #15 0x7f961d79c4e7 in nsSimplePageSequenceFrame::PrintNextPage() layout/generic/nsSimplePageSequence.cpp:763 #16 0x7f961ec11ef3 in nsPrintEngine::PrintPage(nsPrintObject*, bool&) layout/printing/nsPrintEngine.cpp:2824 #17 0x7f961ec177d3 in nsPagePrintTimer::Run() layout/printing/nsPagePrintTimer.cpp:87 #18 0x7f96202d4251 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612 #19 0x7f962020d073 in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:220 #20 0x7f961fdd1ce0 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82 #21 0x7f962036281b in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:208 #22 0x7f961faccb0d in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:163 #23 0x7f961cdb82c4 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3848 #24 0x7f961cdb939a in XRE_main toolkit/xre/nsAppRunner.cpp:3923 #25 0x408d05 in do_main(int, char**) browser/app/nsBrowserApp.cpp:174 #26 0x7f962681976c in ?? ??:0 previously allocated by thread T0 here: #0 0x432e50 in malloc ??:? #1 0x7f9620c55760 in AlphaBoxBlur gfx/2d/Blur.cpp:384 #2 0x7f96203c2a35 in gfxAlphaBoxBlur::Init(gfxRect const&, nsIntSize const&, nsIntSize const&, gfxRect const*, gfxRect const*) gfx/thebes/gfxBlur.cpp:52 #3 0x7f961d4741f0 in nsContextBoxBlur::Init(nsRect const&, int, int, int, gfxContext*, nsRect const&, gfxRect const*, unsigned int) layout/base/nsCSSRendering.cpp:4559 #4 0x7f961d472401 in nsCSSRendering::PaintBoxShadowOuter(nsPresContext*, nsRenderingContext&, nsIFrame*, nsRect const&, nsRect const&) layout/base/nsCSSRendering.cpp:1244 #5 0x7f961d4cbead in nsDisplayBoxShadowOuter::Paint(nsDisplayListBuilder*, nsRenderingContext*) layout/base/nsDisplayList.cpp:2294 #6 0x7f961d403091 in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:3238 #7 0x7f96204b53ff in mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicThebesLayer.cpp:139 #8 0x7f9620497455 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:822 #9 0x7f9620494f8a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:931 #10 0x7f9620497295 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:838 #11 0x7f9620494f8a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:931 #12 0x7f9620497295 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:838 #13 0x7f9620494f8a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:931 #14 0x7f96204922b9 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:589 #15 0x7f961d4ba9fb in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const layout/base/nsDisplayList.cpp:1098 #16 0x7f961d4b9751 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const layout/base/nsDisplayList.cpp:966 #17 0x7f961d531253 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:1835 #18 0x7f961d79c4e7 in nsSimplePageSequenceFrame::PrintNextPage() layout/generic/nsSimplePageSequence.cpp:763 #19 0x7f961ec11ef3 in nsPrintEngine::PrintPage(nsPrintObject*, bool&) layout/printing/nsPrintEngine.cpp:2824 #20 0x7f961ec177d3 in nsPagePrintTimer::Run() layout/printing/nsPagePrintTimer.cpp:87 #21 0x7f96202d4251 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612 #22 0x7f962020d073 in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:220 #23 0x7f961fdd1ce0 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82 #24 0x7f962036281b in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:208 Shadow byte and word: 0x1ff2ba4f8a10: fd 0x1ff2ba4f8a10: fd fd fd fd fd fd fd fd More shadow bytes: 0x1ff2ba4f89f0: fa fa fa fa fa fa fa fa 0x1ff2ba4f89f8: fa fa fa fa fa fa fa fa 0x1ff2ba4f8a00: fa fa fa fa fa fa fa fa 0x1ff2ba4f8a08: fa fa fa fa fa fa fa fa =>0x1ff2ba4f8a10: fd fd fd fd fd fd fd fd 0x1ff2ba4f8a18: fd fd fd fd fd fd fd fd 0x1ff2ba4f8a20: fd fd fd fd fd fd fd fd 0x1ff2ba4f8a28: fd fd fd fd fd fd fd fd 0x1ff2ba4f8a30: fd fd fd fd fd fd fd fd Stats: 905M malloced (979M for red zones) by 1833862 calls Stats: 105M realloced by 83665 calls Stats: 837M freed by 1481377 calls Stats: 699M really freed by 1274702 calls Stats: 868M (222350 full pages) mmaped in 215 calls mmaps by size class: 8:770001; 9:65528; 10:32760; 11:20470; 12:8192; 13:6144; 14:1792; 15:640; 16:1216; 17:1248; 18:336; 19:56; 20:24; 21:22; 22:5; 23:2; mallocs by size class: 8:1485067; 9:165298; 10:82797; 11:55504; 12:19877; 13:11914; 14:5299; 15:1882; 16:2399; 17:2909; 18:653; 19:160; 20:55; 21:38; 22:7; 23:3; frees by size class: 8:1168626; 9:145581; 10:75352; 11:50174; 12:17771; 13:11299; 14:4892; 15:1747; 16:2233; 17:2853; 18:596; 19:155; 20:53; 21:37; 22:6; 23:2; rfrees by size class: 8:1006654; 9:124075; 10:64219; 11:44235; 12:14331; 13:10277; 14:4368; 15:1477; 16:1972; 17:2358; 18:550; 19:108; 20:45; 21:27; 22:5; 23:1; Stats: malloc large: 3825 small slow: 8875 ==6937== ABORTING
Looks a bit like bug 792641; maybe that fix was incomplete?
Severity: normal → critical
Component: General → Graphics
Keywords: crash
Product: Firefox → Core
Whiteboard: [asan]
Attached file stacks etc
nsCSSRendering::PaintBoxShadowOuter: 1236 nsRefPtr<gfxContext> shadowContext; 1237 nsContextBoxBlur blurringArea; The problem is the order of shadowContext and blurringArea and that shadowContext is strong pointer, thereby delaying the destruction of nsContextBoxBlur::mContext when it's used (when blurring) -- because the surface data is owned by nsContextBoxBlur::blur so when it goes away (first), the shadowContext surface points to deallocated data [after blurringArea is destroyed].
Assignee: nobody → matspal
Attached patch fixSplinter Review
Swapping line 1236/1237 works too, but I don't like that we have an order dependent ownership issue like that, so I prefer to just use a raw pointer here, and point out that the gfxContext it points to is owned by someone else (that outlives the pointer). This seems simpler to understand. The added assertion is mostly just documentation. (not tested on Try yet)
Attachment #668861 - Flags: review?(roc)
For me, the problem only occurs in Print, not Print Preview.
Flags: in-testsuite-
We're reading already freed data into an image buffer of some sort so potentially this data could make it to pixels on screen. This is only a problem if the memory was reallocated holding some sensitive data. On the main thread, I don't see any allocations at all that interleaves the "delete mBlur" in ~gfxAlphaBoxBlur() and the ~gfxContext for shadowContext. I'm guessing our memory allocator doesn't completely insulate threads from each other though, so in theory another thread could have allocated and filled this chunk of memory. This seems extremely unlikely to me, so I'm rating this as sec-low.
Keywords: sec-low
Component: Graphics → Layout: Misc Code
https://hg.mozilla.org/mozilla-central/rev/45cf07ab3a5e
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox19: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
(In reply to Mats Palmgren [:mats] from comment #5) > This seems extremely unlikely to me, so I'm rating this as sec-low. Exploit writing is all about turning the unlikely into a reasonably likely case, and there's a whole bag of tricks for manipulating memory allocations.
(In reply to Daniel Veditz [:dveditz] from comment #8) > Exploit writing is all about turning the unlikely into a reasonably likely > case, and there's a whole bag of tricks for manipulating memory allocations. Sigh, this is what I get for analyzing the problem? Fine, I'll just rate everything sec-critical from now on and let you deal with it.
Keywords: sec-lowsec-moderate
No, the analysis is very helpful. There are no virtual methods on the object or pointers to objects that have virtual methods so it can't be critical, and there may be data leakage but you've shown it's unlikely so it's not high. Just don't underestimate the capabilities of "heap feng shui" so that we're not blindsided by cases where virtual pointers might be involved.
Leaking the contents of the heap can be used to defeat ASLR.
Mats, I think you probably need the same fix in nsCSSRendering::PaintBoxShadowInner since i am still seeing some similar stacks. ================================================================= ==2481== ERROR: AddressSanitizer heap-use-after-free on address 0x7f4b3143d080 at pc 0x42f786 bp 0x7fffe4c34330 sp 0x7fffe4c33af8 WRITE of size 1 at 0x7f4b3143d080 thread T0 #0 0x42f785 in __interceptor_memcpy #1 0x7f4b4efe7188 in _cairo_surface_snapshot_copy_on_write gfx/cairo/cairo/src/cairo-surface-snapshot.c:140 #2 0x7f4b4be1514d in nsDisplayBoxShadowInner::Paint(nsDisplayListBuilder*, nsRenderingContext*) layout/base/nsDisplayList.cpp:2355 #3 0x7f4b4bd4aac1 in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:3256 #4 0x7f4b4edb9daf in mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicThebesLayer.cpp:139 #5 0x7f4b4ed9bce5 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:823 #6 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #7 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #8 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #9 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #10 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #11 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #12 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #13 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #14 0x7f4b4ed99757 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:940 #15 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #16 0x7f4b4ed99757 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:940 #17 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #18 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #19 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #20 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #21 0x7f4b4ed96b39 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:589 #22 0x7f4b4be022ec in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const layout/base/nsDisplayList.cpp:1106 #23 0x7f4b4be00f61 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const layout/base/nsDisplayList.cpp:975 #24 0x7f4b4be7992e in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:1853 #25 0x7f4b4c0e44a7 in nsSimplePageSequenceFrame::PrintNextPage() layout/generic/nsSimplePageSequence.cpp:763 #26 0x7f4b4d578373 in nsPrintEngine::PrintPage(nsPrintObject*, bool&) layout/printing/nsPrintEngine.cpp:2824 #27 0x7f4b4d57dc53 in nsPagePrintTimer::Run() layout/printing/nsPagePrintTimer.cpp:87 #28 0x7f4b4ebd4491 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612 #29 0x7f4b4eb0df13 in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:220 #30 0x7f4b4e6c7750 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82 #31 0x7f4b4ec654bb in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:215 #32 0x7f4b4e3b7e9d in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:163 #33 0x7f4b4b658404 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3866 #34 0x7f4b4b6594da in XRE_main toolkit/xre/nsAppRunner.cpp:3941 #35 0x408d71 in do_main(int, char**) browser/app/nsBrowserApp.cpp:174 #36 0x7f4b5578076c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226 0x7f4b3143d080 is located 0 bytes inside of 18768-byte region [0x7f4b3143d080,0x7f4b314419d0) freed by thread T0 here: #0 0x432e60 in free #1 0x7f4b4ecc5cf6 in ~gfxAlphaBoxBlur gfx/thebes/gfxBlur.cpp:23 #2 0x7f4b4be1514d in nsDisplayBoxShadowInner::Paint(nsDisplayListBuilder*, nsRenderingContext*) layout/base/nsDisplayList.cpp:2355 #3 0x7f4b4bd4aac1 in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:3256 #4 0x7f4b4edb9daf in mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicThebesLayer.cpp:139 #5 0x7f4b4ed9bce5 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:823 #6 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #7 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #8 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #9 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #10 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #11 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #12 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #13 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #14 0x7f4b4ed99757 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:940 #15 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #16 0x7f4b4ed99757 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:940 #17 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #18 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #19 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #20 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #21 0x7f4b4ed96b39 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:589 #22 0x7f4b4be022ec in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const layout/base/nsDisplayList.cpp:1106 #23 0x7f4b4be00f61 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const layout/base/nsDisplayList.cpp:975 #24 0x7f4b4be7992e in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) layout/base/nsLayoutUtils.cpp:1853 #25 0x7f4b4c0e44a7 in nsSimplePageSequenceFrame::PrintNextPage() layout/generic/nsSimplePageSequence.cpp:763 #26 0x7f4b4d578373 in nsPrintEngine::PrintPage(nsPrintObject*, bool&) layout/printing/nsPrintEngine.cpp:2824 #27 0x7f4b4d57dc53 in nsPagePrintTimer::Run() layout/printing/nsPagePrintTimer.cpp:87 #28 0x7f4b4ebd4491 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612 #29 0x7f4b4eb0df13 in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:220 previously allocated by thread T0 here: #0 0x432f20 in __interceptor_malloc #1 0x7f4b4f56bcf0 in AlphaBoxBlur gfx/2d/Blur.cpp:384 #2 0x7f4b4ecc6445 in gfxAlphaBoxBlur::Init(gfxRect const&, nsIntSize const&, nsIntSize const&, gfxRect const*, gfxRect const*) gfx/thebes/gfxBlur.cpp:52 #3 0x7f4b4bdbb960 in nsContextBoxBlur::Init(nsRect const&, int, int, int, gfxContext*, nsRect const&, gfxRect const*, unsigned int) layout/base/nsCSSRendering.cpp:4571 #4 0x7f4b4bdbdbd3 in nsCSSRendering::PaintBoxShadowInner(nsPresContext*, nsRenderingContext&, nsIFrame*, nsRect const&, nsRect const&) layout/base/nsCSSRendering.cpp:1440 #5 0x7f4b4be1514d in nsDisplayBoxShadowInner::Paint(nsDisplayListBuilder*, nsRenderingContext*) layout/base/nsDisplayList.cpp:2355 #6 0x7f4b4bd4aac1 in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) layout/base/FrameLayerBuilder.cpp:3256 #7 0x7f4b4edb9daf in mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicThebesLayer.cpp:139 #8 0x7f4b4ed9bce5 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:823 #9 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #10 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #11 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #12 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #13 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #14 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #15 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #16 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #17 0x7f4b4ed99757 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:940 #18 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #19 0x7f4b4ed99757 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:940 #20 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #21 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #22 0x7f4b4ed9bb25 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) gfx/layers/basic/BasicLayerManager.cpp:839 #23 0x7f4b4ed9981a in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) gfx/layers/basic/BasicLayerManager.cpp:932 #24 0x7f4b4ed96b39 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/basic/BasicLayerManager.cpp:589 Shadow byte and word: 0x1fe966287a10: fd 0x1fe966287a10: fd fd fd fd fd fd fd fd More shadow bytes: 0x1fe9662879f0: fa fa fa fa fa fa fa fa 0x1fe9662879f8: fa fa fa fa fa fa fa fa 0x1fe966287a00: fa fa fa fa fa fa fa fa 0x1fe966287a08: fa fa fa fa fa fa fa fa =>0x1fe966287a10: fd fd fd fd fd fd fd fd 0x1fe966287a18: fd fd fd fd fd fd fd fd 0x1fe966287a20: fd fd fd fd fd fd fd fd 0x1fe966287a28: fd fd fd fd fd fd fd fd 0x1fe966287a30: fd fd fd fd fd fd fd fd Stats: 491M malloced (573M for red zones) by 1372602 calls Stats: 73M realloced by 133640 calls Stats: 438M freed by 1113793 calls Stats: 327M really freed by 639120 calls Stats: 732M (187508 full pages) mmaped in 183 calls mmaps by size class: 8:688086; 9:73719; 10:45045; 11:10235; 12:5120; 13:2560; 14:1280; 15:256; 16:512; 17:1280; 18:240; 19:56; 20:116; mallocs by size class: 8:1165057; 9:120371; 10:53536; 11:17547; 12:5933; 13:4300; 14:2232; 15:598; 16:895; 17:1607; 18:286; 19:86; 20:154; frees by size class: 8:931035; 9:105861; 10:48786; 11:14185; 12:4678; 13:3952; 14:1902; 15:539; 16:828; 17:1583; 18:236; 19:62; 20:146; rfrees by size class: 8:496897; 9:79128; 10:38849; 11:13026; 12:3733; 13:2677; 14:1781; 15:376; 16:788; 17:1529; 18:225; 19:60; 20:51; Stats: malloc large: 2133 small slow: 4874 ==2481== ABORTING
Attached patch additional fixSplinter Review
Ah, good catch. Thanks! Can you verify this patch fixes it?
Sorry I don't have a reliable test case for this one. Just the stack.
OK, no worries. Since the 'shadowContext' setup here is the same I'm pretty sure it will fix it.
Comment on attachment 674964 [details] [diff] [review] additional fix More of the same. Sorry, I should have checked the inner shadow code the last time. :( https://tbpl.mozilla.org/?tree=Try&rev=693fc472e981
Attachment #674964 - Flags: review?(roc)
Whiteboard: [asan] → [asan][adv-main19+]
Alias: CVE-2013-0777
Group: core-security
Product: Core → Core Graveyard
Component: Layout: Misc Code → Layout
Product: Core Graveyard → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: