Closed Bug 810303 Opened 12 years ago Closed 12 years ago

xul.dll!nsHTMLFramesetFrame..GetSizeOfChildAt use-after-free

Categories

(Core :: Layout, defect)

16 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla20
Tracking Status
firefox19 --- wontfix
firefox20 --- fixed
firefox21 --- fixed
firefox-esr10 --- unaffected
firefox-esr17 --- wontfix
b2g18 --- wontfix

People

(Reporter: abbGZcvu_bugzilla.mozilla.org, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords, Whiteboard: [fixed by bug 814995][adv-main20-])

Crash Data

Attachments

(1 file)

Attached file repro.html
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11 Steps to reproduce: Repro: <!DOCTYPE html> <html> <head> <script> window.onload = function() { document.removeChild(document.documentElement); var oFrameset1 = document.createElement('frameset'), oFrameset2 = document.createElement('frameset'); document.appendChild(oFrameset1); oFrameset1.appendChild(oFrameset2); alert(oFrameset2.offsetWidth); }; </script> </head> </html> Actual results: Firefox crashes because it using a freed and poisoned Frame. This use-after-free is not considered a security issue because the poisoning prevents exploitation. Expected results: Firefox should not crash.
Attachment #680074 - Attachment mime type: text/plain → text/html
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
This is not a duplicate of bug 571653. They crash in the same function but on different lines with different symptoms. That one's a divide-by-zero, this one is UAF. The crashing address is in the neighborhood of frame-poisoned values, but seems like too big an offset from what I usually see. We should test this using ASan or Valgrind. If it's frame-poisoned those won't complain (because the arena is still valid), but if it's merely mimicking frame-poisoning we should be able to see the difference.
Group: core-security
Status: RESOLVED → REOPENED
Crash Signature: [@ nsHTMLFramesetFrame::GetSizeOfChildAt(int, nsSize&, nsIntPoint&) ]
Ever confirmed: true
Resolution: DUPLICATE → ---
needinfo?mwobensmith to see what ASAN reports here.
Component: Untriaged → Layout
Flags: needinfo?(mwobensmith)
Product: Firefox → Core
This crash does not reproduce on nightly FF 20, 2012-12-19. However, I can get the crash using an ASan build of release 17.0.1. Symbolized stack trace below. ==92874== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x000105b7ae15 sp 0x7fff5fbec520 bp 0x7fff5fbec5f0 T0) AddressSanitizer can not provide additional info. #0 0x105b7ae14 in nsHTMLFramesetFrame::GetDesiredSize nsFrameSetFrame.cpp:724 #1 0x105b7dc8e in nsHTMLFramesetFrame::Reflow nsFrameSetFrame.cpp:932 #2 0x105ac2ba4 in nsBlockReflowContext::ReflowBlock nsBlockReflowContext.cpp:268 #3 0x105a9c584 in nsBlockFrame::ReflowBlockFrame nsBlockFrame.cpp:3205 #4 0x105a96ce3 in nsBlockFrame::ReflowLine nsBlockFrame.cpp:2513 #5 0x105a8bc2e in nsBlockFrame::ReflowDirtyLines nsBlockFrame.cpp:2019 #6 0x105a81c97 in nsBlockFrame::Reflow nsBlockFrame.cpp:1068 #7 0x105ae8c7c in nsContainerFrame::ReflowChild nsContainerFrame.cpp:946 #8 0x105bca044 in nsCanvasFrame::Reflow nsCanvasFrame.cpp:463 #9 0x105ae8c7c in nsContainerFrame::ReflowChild nsContainerFrame.cpp:946 #10 0x105b91019 in nsHTMLScrollFrame::ReflowScrolledFrame nsGfxScrollFrame.cpp:523 #11 0x105b91852 in nsHTMLScrollFrame::ReflowContents nsGfxScrollFrame.cpp:623 #12 0x105b94a2f in nsHTMLScrollFrame::Reflow nsGfxScrollFrame.cpp:864 #13 0x105ae8c7c in nsContainerFrame::ReflowChild nsContainerFrame.cpp:946 #14 0x105d123d2 in ViewportFrame::Reflow nsViewportFrame.cpp:200 #15 0x105984ee8 in PresShell::DoReflow nsPresShell.cpp:7431 #16 0x10599a3ba in PresShell::ProcessReflowCommands nsPresShell.cpp:7578 #17 0x1059997a1 in PresShell::FlushPendingNotifications nsPresShell.cpp:3895 #18 0x1062f9e6f in nsDocument::FlushPendingNotifications nsDocument.cpp:6360 #19 0x106392f2e in nsGenericElement::GetStyledFrame nsGenericElement.cpp:1794 #20 0x1067967fd in nsGenericHTMLElement::GetOffsetRect nsGenericHTMLElement.cpp:471 #21 0x106798ce0 in nsGenericHTMLElement::GetOffsetWidth nsGenericHTMLElement.cpp:602 #22 0x107e826b2 in nsIDOMHTMLElement_GetOffsetWidth dom_quickstubs.cpp:14667 #23 0x10a869d07 in js::CallJSPropertyOp, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) jscntxtinlines.h:445 #24 0x10a870c50 in js::Shape::get jsscopeinlines.h:304 #25 0x10a856baf in js_NativeGetInline jsobj.cpp:4462 #26 0x10a857b1b in js_GetPropertyHelperInline Root.h:330 #27 0x10a85783d in js::GetPropertyHelper jsobj.cpp:4625 #28 0x10a7ecb4c in js::GetPropertyOperation jsinterpinlines.h:270 #29 0x10a79c581 in js::Interpret jsinterp.cpp:2293 #30 0x10acf9372 in js::mjit::EnterMethodJIT MethodJIT.cpp:1043 #31 0x10acf9e72 in CheckStackAndEnterMethodJIT MethodJIT.cpp:1074 #32 0x10a78d4f7 in js::RunScript jsinterp.cpp:306 #33 0x10a7e282a in js::InvokeKernel jsinterp.cpp:363 #34 0x10a7e4200 in js::Invoke jsinterp.h:119 #35 0x10a5e327e in JS_CallFunctionValue jsapi.cpp:5850 #36 0x106cad3ab in nsJSContext::CallEventHandler nsJSEnvironment.cpp:1917 #37 0x106f98a2c in nsJSEventListener::HandleEvent nsJSEventListener.cpp:188 #38 0x1066a014e in nsEventListenerManager::HandleEventInternal nsEventListenerManager.cpp:800 #39 0x10672ce87 in nsEventTargetChainItem::HandleEvent nsEventListenerManager.h:142 #40 0x1067261a8 in nsEventTargetChainItem::HandleEventTargetChain nsEventDispatcher.cpp:314 #41 0x10672b201 in nsEventDispatcher::Dispatch nsEventDispatcher.cpp:635 #42 0x1058d2e38 in DocumentViewerImpl::LoadComplete nsDocumentViewer.cpp:1024 #43 0x108095fb5 in nsDocShell::EndPageLoad nsDocShell.cpp:6429 #44 0x1080921cd in nsDocShell::OnStateChange nsDocShell.cpp:6260 #45 0x10809288f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) (in XUL) + 15 #46 0x10812472c in nsDocLoader::DoFireOnStateChange nsDocLoader.cpp:1351 #47 0x10812335a in nsDocLoader::doStopDocumentLoad nsDocLoader.cpp:931 #48 0x10811fbf4 in nsDocLoader::DocLoaderIsEmpty nsDocLoader.cpp:820 #49 0x108121d6d in nsDocLoader::OnStopRequest nsDocLoader.cpp:704 #50 0x108122dbc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (in XUL) + 12 #51 0x105178be1 in nsLoadGroup::RemoveRequest nsLoadGroup.cpp:698 #52 0x106303954 in nsDocument::DoUnblockOnload nsDocument.cpp:7223 #53 0x1062e18c0 in nsDocument::DispatchContentLoadedEvents nsDocument.cpp:4240 #54 0x10632c529 in nsRunnableMethodImpl<void , true>::Run nsThreadUtils.h:349 #55 0x1094c46e7 in nsThread::ProcessNextEvent nsThread.cpp:624 #56 0x1093bcfa8 in NS_ProcessPendingEvents_P nsThreadUtils.cpp:170 #57 0x108aa486e in nsBaseAppShell::NativeEventCallback nsBaseAppShell.cpp:97 #58 0x1089f317c in nsAppShell::ProcessGeckoEvents nsAppShell.mm:402 #59 0x7fff91b4e100 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (in CoreFoundation) + 16 #60 0x7fff91b4da24 in __CFRunLoopDoSources0 (in CoreFoundation) + 244 #61 0x7fff91b70dc4 in __CFRunLoopRun (in CoreFoundation) + 788 #62 0x7fff91b706b1 in CFRunLoopRunSpecific (in CoreFoundation) + 289 #63 0x7fff8b5140a3 in RunCurrentEventLoopInMode (in HIToolbox) + 208 #64 0x7fff8b513d83 in ReceiveNextEventCommon (in HIToolbox) + 165 #65 0x7fff8b513cd2 in BlockUntilNextEventMatchingListInMode (in HIToolbox) + 61 #66 0x7fff8d811612 in _DPSNextEvent (in AppKit) + 684 #67 0x7fff8d810ed1 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127 #68 0x1089f11e7 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] nsAppShell.mm:168 #69 0x7fff8d808282 in -[NSApplication run] (in AppKit) + 516 #70 0x1089f3f19 in nsAppShell::Run nsAppShell.mm:756 #71 0x10832b690 in nsAppStartup::Run nsAppStartup.cpp:273 #72 0x1050c2a02 in XREMain::XRE_mainRun nsAppRunner.cpp:3812 #73 0x1050c31ad in XREMain::XRE_main nsAppRunner.cpp:3889 #74 0x1050c3b7a in XRE_main nsAppRunner.cpp:3965 #75 0x100002c34 in main nsBrowserApp.cpp:174 #76 0x1000015a3 in start (in firefox-bin) + 51 #77 0x0 in 0x0000000100000000 (in firefox-bin) Stats: 496M malloced (400M for red zones) by 726592 calls Stats: 58M realloced by 23004 calls Stats: 434M freed by 540537 calls Stats: 292M really freed by 249088 calls Stats: 668M (171111 full pages) mmaped in 152 calls mmaps by size class: 8:409575; 9:65528; 10:24570; 11:20470; 12:6144; 13:3584; 14:1536; 15:1024; 16:448; 17:1280; 18:176; 19:40; 20:24; 21:4; 24:5; mallocs by size class: 8:539164; 9:92472; 10:47081; 11:28122; 12:7993; 13:5222; 14:2319; 15:1516; 16:740; 17:1650; 18:231; 19:46; 20:28; 21:3; 24:6; frees by size class: 8:384763; 9:73650; 10:40802; 11:24430; 12:6493; 13:4583; 14:2032; 15:1435; 16:584; 17:1621; 18:69; 19:43; 20:24; 21:3; 24:6; rfrees by size class: 8:152462; 9:38958; 10:27651; 11:20141; 12:2957; 13:2477; 14:1508; 15:1035; 16:431; 17:1344; 18:59; 19:41; 20:21; 24:3; Stats: malloc large: 2047 small slow: 3969
Flags: needinfo?(mwobensmith)
Mats how bad is this?
Flags: needinfo?(matspal)
WFM, m-c ASan debug build on Linux64. I'm pretty sure this was fixed by bug 814995.
Assignee: nobody → matspal
Severity: normal → critical
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Depends on: 814995
Flags: needinfo?(matspal) → in-testsuite?
Keywords: crash, testcase
OS: Windows 7 → All
Hardware: x86_64 → All
Resolution: --- → FIXED
Whiteboard: [sg:dupe 814995][fixed by bug 814995]
Target Milestone: --- → mozilla20
Keywords: sec-other
Whiteboard: [sg:dupe 814995][fixed by bug 814995] → [fixed by bug 814995]
Whiteboard: [fixed by bug 814995] → [fixed by bug 814995][adv-main20+]
Whiteboard: [fixed by bug 814995][adv-main20+] → [fixed by bug 814995][adv-main20-]
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: