Closed
Bug 810303
Opened 12 years ago
Closed 12 years ago
xul.dll!nsHTMLFramesetFrame..GetSizeOfChildAt use-after-free
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: abbGZcvu_bugzilla.mozilla.org, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords, Whiteboard: [fixed by bug 814995][adv-main20-])
Crash Data
Attachments
(1 file)
437 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Steps to reproduce:
Repro:
<!DOCTYPE html>
<html>
<head>
<script>
window.onload = function() {
document.removeChild(document.documentElement);
var oFrameset1 = document.createElement('frameset'),
oFrameset2 = document.createElement('frameset');
document.appendChild(oFrameset1);
oFrameset1.appendChild(oFrameset2);
alert(oFrameset2.offsetWidth);
};
</script>
</head>
</html>
Actual results:
Firefox crashes because it using a freed and poisoned Frame. This use-after-free is not considered a security issue because the poisoning prevents exploitation.
Expected results:
Firefox should not crash.
Attachment #680074 -
Attachment mime type: text/plain → text/html
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Comment 2•12 years ago
|
||
This is not a duplicate of bug 571653. They crash in the same function but on different lines with different symptoms. That one's a divide-by-zero, this one is UAF.
The crashing address is in the neighborhood of frame-poisoned values, but seems like too big an offset from what I usually see. We should test this using ASan or Valgrind. If it's frame-poisoned those won't complain (because the arena is still valid), but if it's merely mimicking frame-poisoning we should be able to see the difference.
Group: core-security
Status: RESOLVED → REOPENED
Crash Signature: [@ nsHTMLFramesetFrame::GetSizeOfChildAt(int, nsSize&, nsIntPoint&) ]
Ever confirmed: true
Resolution: DUPLICATE → ---
Comment 3•12 years ago
|
||
needinfo?mwobensmith to see what ASAN reports here.
Component: Untriaged → Layout
Flags: needinfo?(mwobensmith)
Product: Firefox → Core
Comment 4•12 years ago
|
||
This crash does not reproduce on nightly FF 20, 2012-12-19.
However, I can get the crash using an ASan build of release 17.0.1. Symbolized stack trace below.
==92874== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x000105b7ae15 sp 0x7fff5fbec520 bp 0x7fff5fbec5f0 T0)
AddressSanitizer can not provide additional info.
#0 0x105b7ae14 in nsHTMLFramesetFrame::GetDesiredSize nsFrameSetFrame.cpp:724
#1 0x105b7dc8e in nsHTMLFramesetFrame::Reflow nsFrameSetFrame.cpp:932
#2 0x105ac2ba4 in nsBlockReflowContext::ReflowBlock nsBlockReflowContext.cpp:268
#3 0x105a9c584 in nsBlockFrame::ReflowBlockFrame nsBlockFrame.cpp:3205
#4 0x105a96ce3 in nsBlockFrame::ReflowLine nsBlockFrame.cpp:2513
#5 0x105a8bc2e in nsBlockFrame::ReflowDirtyLines nsBlockFrame.cpp:2019
#6 0x105a81c97 in nsBlockFrame::Reflow nsBlockFrame.cpp:1068
#7 0x105ae8c7c in nsContainerFrame::ReflowChild nsContainerFrame.cpp:946
#8 0x105bca044 in nsCanvasFrame::Reflow nsCanvasFrame.cpp:463
#9 0x105ae8c7c in nsContainerFrame::ReflowChild nsContainerFrame.cpp:946
#10 0x105b91019 in nsHTMLScrollFrame::ReflowScrolledFrame nsGfxScrollFrame.cpp:523
#11 0x105b91852 in nsHTMLScrollFrame::ReflowContents nsGfxScrollFrame.cpp:623
#12 0x105b94a2f in nsHTMLScrollFrame::Reflow nsGfxScrollFrame.cpp:864
#13 0x105ae8c7c in nsContainerFrame::ReflowChild nsContainerFrame.cpp:946
#14 0x105d123d2 in ViewportFrame::Reflow nsViewportFrame.cpp:200
#15 0x105984ee8 in PresShell::DoReflow nsPresShell.cpp:7431
#16 0x10599a3ba in PresShell::ProcessReflowCommands nsPresShell.cpp:7578
#17 0x1059997a1 in PresShell::FlushPendingNotifications nsPresShell.cpp:3895
#18 0x1062f9e6f in nsDocument::FlushPendingNotifications nsDocument.cpp:6360
#19 0x106392f2e in nsGenericElement::GetStyledFrame nsGenericElement.cpp:1794
#20 0x1067967fd in nsGenericHTMLElement::GetOffsetRect nsGenericHTMLElement.cpp:471
#21 0x106798ce0 in nsGenericHTMLElement::GetOffsetWidth nsGenericHTMLElement.cpp:602
#22 0x107e826b2 in nsIDOMHTMLElement_GetOffsetWidth dom_quickstubs.cpp:14667
#23 0x10a869d07 in js::CallJSPropertyOp, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) jscntxtinlines.h:445
#24 0x10a870c50 in js::Shape::get jsscopeinlines.h:304
#25 0x10a856baf in js_NativeGetInline jsobj.cpp:4462
#26 0x10a857b1b in js_GetPropertyHelperInline Root.h:330
#27 0x10a85783d in js::GetPropertyHelper jsobj.cpp:4625
#28 0x10a7ecb4c in js::GetPropertyOperation jsinterpinlines.h:270
#29 0x10a79c581 in js::Interpret jsinterp.cpp:2293
#30 0x10acf9372 in js::mjit::EnterMethodJIT MethodJIT.cpp:1043
#31 0x10acf9e72 in CheckStackAndEnterMethodJIT MethodJIT.cpp:1074
#32 0x10a78d4f7 in js::RunScript jsinterp.cpp:306
#33 0x10a7e282a in js::InvokeKernel jsinterp.cpp:363
#34 0x10a7e4200 in js::Invoke jsinterp.h:119
#35 0x10a5e327e in JS_CallFunctionValue jsapi.cpp:5850
#36 0x106cad3ab in nsJSContext::CallEventHandler nsJSEnvironment.cpp:1917
#37 0x106f98a2c in nsJSEventListener::HandleEvent nsJSEventListener.cpp:188
#38 0x1066a014e in nsEventListenerManager::HandleEventInternal nsEventListenerManager.cpp:800
#39 0x10672ce87 in nsEventTargetChainItem::HandleEvent nsEventListenerManager.h:142
#40 0x1067261a8 in nsEventTargetChainItem::HandleEventTargetChain nsEventDispatcher.cpp:314
#41 0x10672b201 in nsEventDispatcher::Dispatch nsEventDispatcher.cpp:635
#42 0x1058d2e38 in DocumentViewerImpl::LoadComplete nsDocumentViewer.cpp:1024
#43 0x108095fb5 in nsDocShell::EndPageLoad nsDocShell.cpp:6429
#44 0x1080921cd in nsDocShell::OnStateChange nsDocShell.cpp:6260
#45 0x10809288f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) (in XUL) + 15
#46 0x10812472c in nsDocLoader::DoFireOnStateChange nsDocLoader.cpp:1351
#47 0x10812335a in nsDocLoader::doStopDocumentLoad nsDocLoader.cpp:931
#48 0x10811fbf4 in nsDocLoader::DocLoaderIsEmpty nsDocLoader.cpp:820
#49 0x108121d6d in nsDocLoader::OnStopRequest nsDocLoader.cpp:704
#50 0x108122dbc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (in XUL) + 12
#51 0x105178be1 in nsLoadGroup::RemoveRequest nsLoadGroup.cpp:698
#52 0x106303954 in nsDocument::DoUnblockOnload nsDocument.cpp:7223
#53 0x1062e18c0 in nsDocument::DispatchContentLoadedEvents nsDocument.cpp:4240
#54 0x10632c529 in nsRunnableMethodImpl<void , true>::Run nsThreadUtils.h:349
#55 0x1094c46e7 in nsThread::ProcessNextEvent nsThread.cpp:624
#56 0x1093bcfa8 in NS_ProcessPendingEvents_P nsThreadUtils.cpp:170
#57 0x108aa486e in nsBaseAppShell::NativeEventCallback nsBaseAppShell.cpp:97
#58 0x1089f317c in nsAppShell::ProcessGeckoEvents nsAppShell.mm:402
#59 0x7fff91b4e100 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (in CoreFoundation) + 16
#60 0x7fff91b4da24 in __CFRunLoopDoSources0 (in CoreFoundation) + 244
#61 0x7fff91b70dc4 in __CFRunLoopRun (in CoreFoundation) + 788
#62 0x7fff91b706b1 in CFRunLoopRunSpecific (in CoreFoundation) + 289
#63 0x7fff8b5140a3 in RunCurrentEventLoopInMode (in HIToolbox) + 208
#64 0x7fff8b513d83 in ReceiveNextEventCommon (in HIToolbox) + 165
#65 0x7fff8b513cd2 in BlockUntilNextEventMatchingListInMode (in HIToolbox) + 61
#66 0x7fff8d811612 in _DPSNextEvent (in AppKit) + 684
#67 0x7fff8d810ed1 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
#68 0x1089f11e7 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] nsAppShell.mm:168
#69 0x7fff8d808282 in -[NSApplication run] (in AppKit) + 516
#70 0x1089f3f19 in nsAppShell::Run nsAppShell.mm:756
#71 0x10832b690 in nsAppStartup::Run nsAppStartup.cpp:273
#72 0x1050c2a02 in XREMain::XRE_mainRun nsAppRunner.cpp:3812
#73 0x1050c31ad in XREMain::XRE_main nsAppRunner.cpp:3889
#74 0x1050c3b7a in XRE_main nsAppRunner.cpp:3965
#75 0x100002c34 in main nsBrowserApp.cpp:174
#76 0x1000015a3 in start (in firefox-bin) + 51
#77 0x0 in 0x0000000100000000 (in firefox-bin)
Stats: 496M malloced (400M for red zones) by 726592 calls
Stats: 58M realloced by 23004 calls
Stats: 434M freed by 540537 calls
Stats: 292M really freed by 249088 calls
Stats: 668M (171111 full pages) mmaped in 152 calls
mmaps by size class: 8:409575; 9:65528; 10:24570; 11:20470; 12:6144; 13:3584; 14:1536; 15:1024; 16:448; 17:1280; 18:176; 19:40; 20:24; 21:4; 24:5;
mallocs by size class: 8:539164; 9:92472; 10:47081; 11:28122; 12:7993; 13:5222; 14:2319; 15:1516; 16:740; 17:1650; 18:231; 19:46; 20:28; 21:3; 24:6;
frees by size class: 8:384763; 9:73650; 10:40802; 11:24430; 12:6493; 13:4583; 14:2032; 15:1435; 16:584; 17:1621; 18:69; 19:43; 20:24; 21:3; 24:6;
rfrees by size class: 8:152462; 9:38958; 10:27651; 11:20141; 12:2957; 13:2477; 14:1508; 15:1035; 16:431; 17:1344; 18:59; 19:41; 20:21; 24:3;
Stats: malloc large: 2047 small slow: 3969
Flags: needinfo?(mwobensmith)
Assignee | ||
Comment 6•12 years ago
|
||
WFM, m-c ASan debug build on Linux64.
I'm pretty sure this was fixed by bug 814995.
Assignee: nobody → matspal
Severity: normal → critical
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Depends on: 814995
Flags: needinfo?(matspal) → in-testsuite?
OS: Windows 7 → All
Hardware: x86_64 → All
Resolution: --- → FIXED
Whiteboard: [sg:dupe 814995][fixed by bug 814995]
Target Milestone: --- → mozilla20
Updated•12 years ago
|
status-b2g18:
--- → wontfix
status-firefox-esr10:
--- → unaffected
status-firefox19:
--- → wontfix
status-firefox20:
--- → fixed
status-firefox21:
--- → fixed
status-firefox-esr17:
--- → wontfix
Whiteboard: [sg:dupe 814995][fixed by bug 814995] → [fixed by bug 814995]
Updated•12 years ago
|
Whiteboard: [fixed by bug 814995] → [fixed by bug 814995][adv-main20+]
Updated•12 years ago
|
Whiteboard: [fixed by bug 814995][adv-main20+] → [fixed by bug 814995][adv-main20-]
Assignee | ||
Comment 7•10 years ago
|
||
Landed the crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2f406ead9a4c
Group: core-security
Flags: in-testsuite? → in-testsuite+
Comment 8•10 years ago
|
||
Updated•7 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•