Closed Bug 810303 Opened 7 years ago Closed 7 years ago

xul.dll!nsHTMLFramesetFrame..GetSizeOfChildAt use-after-free

Categories

(Core :: Layout, defect, critical)

16 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla20
Tracking Status
firefox19 --- wontfix
firefox20 --- fixed
firefox21 --- fixed
firefox-esr10 --- unaffected
firefox-esr17 --- wontfix
b2g18 --- wontfix

People

(Reporter: abbGZcvu_bugzilla.mozilla.org, Assigned: mats)

References

Details

(4 keywords, Whiteboard: [fixed by bug 814995][adv-main20-])

Crash Data

Attachments

(1 file)

437 bytes, text/html
Details
Attached file repro.html
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Steps to reproduce:

Repro:
<!DOCTYPE html>
<html>
  <head>
    <script>
      window.onload = function() {
        document.removeChild(document.documentElement);
        var oFrameset1 = document.createElement('frameset'),
            oFrameset2 = document.createElement('frameset');
        document.appendChild(oFrameset1);
        oFrameset1.appendChild(oFrameset2);
        alert(oFrameset2.offsetWidth);
      };
    </script>
  </head>
</html>


Actual results:

Firefox crashes because it using a freed and poisoned Frame. This use-after-free is not considered a security issue because the poisoning prevents exploitation.


Expected results:

Firefox should not crash.
Attachment #680074 - Attachment mime type: text/plain → text/html
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 571653
This is not a duplicate of bug 571653. They crash in the same function but on different lines with different symptoms. That one's a divide-by-zero, this one is UAF.

The crashing address is in the neighborhood of frame-poisoned values, but seems like too big an offset from what I usually see. We should test this using ASan or Valgrind. If it's frame-poisoned those won't complain (because the arena is still valid), but if it's merely mimicking frame-poisoning we should be able to see the difference.
Group: core-security
Status: RESOLVED → REOPENED
Crash Signature: [@ nsHTMLFramesetFrame::GetSizeOfChildAt(int, nsSize&, nsIntPoint&) ]
Ever confirmed: true
Resolution: DUPLICATE → ---
needinfo?mwobensmith to see what ASAN reports here.
Component: Untriaged → Layout
Flags: needinfo?(mwobensmith)
Product: Firefox → Core
This crash does not reproduce on nightly FF 20, 2012-12-19. 

However, I can get the crash using an ASan build of release 17.0.1. Symbolized stack trace below.


==92874== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x000105b7ae15 sp 0x7fff5fbec520 bp 0x7fff5fbec5f0 T0)
AddressSanitizer can not provide additional info.
    #0 0x105b7ae14 in nsHTMLFramesetFrame::GetDesiredSize nsFrameSetFrame.cpp:724
    #1 0x105b7dc8e in nsHTMLFramesetFrame::Reflow nsFrameSetFrame.cpp:932
    #2 0x105ac2ba4 in nsBlockReflowContext::ReflowBlock nsBlockReflowContext.cpp:268
    #3 0x105a9c584 in nsBlockFrame::ReflowBlockFrame nsBlockFrame.cpp:3205
    #4 0x105a96ce3 in nsBlockFrame::ReflowLine nsBlockFrame.cpp:2513
    #5 0x105a8bc2e in nsBlockFrame::ReflowDirtyLines nsBlockFrame.cpp:2019
    #6 0x105a81c97 in nsBlockFrame::Reflow nsBlockFrame.cpp:1068
    #7 0x105ae8c7c in nsContainerFrame::ReflowChild nsContainerFrame.cpp:946
    #8 0x105bca044 in nsCanvasFrame::Reflow nsCanvasFrame.cpp:463
    #9 0x105ae8c7c in nsContainerFrame::ReflowChild nsContainerFrame.cpp:946
    #10 0x105b91019 in nsHTMLScrollFrame::ReflowScrolledFrame nsGfxScrollFrame.cpp:523
    #11 0x105b91852 in nsHTMLScrollFrame::ReflowContents nsGfxScrollFrame.cpp:623
    #12 0x105b94a2f in nsHTMLScrollFrame::Reflow nsGfxScrollFrame.cpp:864
    #13 0x105ae8c7c in nsContainerFrame::ReflowChild nsContainerFrame.cpp:946
    #14 0x105d123d2 in ViewportFrame::Reflow nsViewportFrame.cpp:200
    #15 0x105984ee8 in PresShell::DoReflow nsPresShell.cpp:7431
    #16 0x10599a3ba in PresShell::ProcessReflowCommands nsPresShell.cpp:7578
    #17 0x1059997a1 in PresShell::FlushPendingNotifications nsPresShell.cpp:3895
    #18 0x1062f9e6f in nsDocument::FlushPendingNotifications nsDocument.cpp:6360
    #19 0x106392f2e in nsGenericElement::GetStyledFrame nsGenericElement.cpp:1794
    #20 0x1067967fd in nsGenericHTMLElement::GetOffsetRect nsGenericHTMLElement.cpp:471
    #21 0x106798ce0 in nsGenericHTMLElement::GetOffsetWidth nsGenericHTMLElement.cpp:602
    #22 0x107e826b2 in nsIDOMHTMLElement_GetOffsetWidth dom_quickstubs.cpp:14667
    #23 0x10a869d07 in js::CallJSPropertyOp, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) jscntxtinlines.h:445
    #24 0x10a870c50 in js::Shape::get jsscopeinlines.h:304
    #25 0x10a856baf in js_NativeGetInline jsobj.cpp:4462
    #26 0x10a857b1b in js_GetPropertyHelperInline Root.h:330
    #27 0x10a85783d in js::GetPropertyHelper jsobj.cpp:4625
    #28 0x10a7ecb4c in js::GetPropertyOperation jsinterpinlines.h:270
    #29 0x10a79c581 in js::Interpret jsinterp.cpp:2293
    #30 0x10acf9372 in js::mjit::EnterMethodJIT MethodJIT.cpp:1043
    #31 0x10acf9e72 in CheckStackAndEnterMethodJIT MethodJIT.cpp:1074
    #32 0x10a78d4f7 in js::RunScript jsinterp.cpp:306
    #33 0x10a7e282a in js::InvokeKernel jsinterp.cpp:363
    #34 0x10a7e4200 in js::Invoke jsinterp.h:119
    #35 0x10a5e327e in JS_CallFunctionValue jsapi.cpp:5850
    #36 0x106cad3ab in nsJSContext::CallEventHandler nsJSEnvironment.cpp:1917
    #37 0x106f98a2c in nsJSEventListener::HandleEvent nsJSEventListener.cpp:188
    #38 0x1066a014e in nsEventListenerManager::HandleEventInternal nsEventListenerManager.cpp:800
    #39 0x10672ce87 in nsEventTargetChainItem::HandleEvent nsEventListenerManager.h:142
    #40 0x1067261a8 in nsEventTargetChainItem::HandleEventTargetChain nsEventDispatcher.cpp:314
    #41 0x10672b201 in nsEventDispatcher::Dispatch nsEventDispatcher.cpp:635
    #42 0x1058d2e38 in DocumentViewerImpl::LoadComplete nsDocumentViewer.cpp:1024
    #43 0x108095fb5 in nsDocShell::EndPageLoad nsDocShell.cpp:6429
    #44 0x1080921cd in nsDocShell::OnStateChange nsDocShell.cpp:6260
    #45 0x10809288f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) (in XUL) + 15
    #46 0x10812472c in nsDocLoader::DoFireOnStateChange nsDocLoader.cpp:1351
    #47 0x10812335a in nsDocLoader::doStopDocumentLoad nsDocLoader.cpp:931
    #48 0x10811fbf4 in nsDocLoader::DocLoaderIsEmpty nsDocLoader.cpp:820
    #49 0x108121d6d in nsDocLoader::OnStopRequest nsDocLoader.cpp:704
    #50 0x108122dbc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (in XUL) + 12
    #51 0x105178be1 in nsLoadGroup::RemoveRequest nsLoadGroup.cpp:698
    #52 0x106303954 in nsDocument::DoUnblockOnload nsDocument.cpp:7223
    #53 0x1062e18c0 in nsDocument::DispatchContentLoadedEvents nsDocument.cpp:4240
    #54 0x10632c529 in nsRunnableMethodImpl<void , true>::Run nsThreadUtils.h:349
    #55 0x1094c46e7 in nsThread::ProcessNextEvent nsThread.cpp:624
    #56 0x1093bcfa8 in NS_ProcessPendingEvents_P nsThreadUtils.cpp:170
    #57 0x108aa486e in nsBaseAppShell::NativeEventCallback nsBaseAppShell.cpp:97
    #58 0x1089f317c in nsAppShell::ProcessGeckoEvents nsAppShell.mm:402
    #59 0x7fff91b4e100 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (in CoreFoundation) + 16
    #60 0x7fff91b4da24 in __CFRunLoopDoSources0 (in CoreFoundation) + 244
    #61 0x7fff91b70dc4 in __CFRunLoopRun (in CoreFoundation) + 788
    #62 0x7fff91b706b1 in CFRunLoopRunSpecific (in CoreFoundation) + 289
    #63 0x7fff8b5140a3 in RunCurrentEventLoopInMode (in HIToolbox) + 208
    #64 0x7fff8b513d83 in ReceiveNextEventCommon (in HIToolbox) + 165
    #65 0x7fff8b513cd2 in BlockUntilNextEventMatchingListInMode (in HIToolbox) + 61
    #66 0x7fff8d811612 in _DPSNextEvent (in AppKit) + 684
    #67 0x7fff8d810ed1 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    #68 0x1089f11e7 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] nsAppShell.mm:168
    #69 0x7fff8d808282 in -[NSApplication run] (in AppKit) + 516
    #70 0x1089f3f19 in nsAppShell::Run nsAppShell.mm:756
    #71 0x10832b690 in nsAppStartup::Run nsAppStartup.cpp:273
    #72 0x1050c2a02 in XREMain::XRE_mainRun nsAppRunner.cpp:3812
    #73 0x1050c31ad in XREMain::XRE_main nsAppRunner.cpp:3889
    #74 0x1050c3b7a in XRE_main nsAppRunner.cpp:3965
    #75 0x100002c34 in main nsBrowserApp.cpp:174
    #76 0x1000015a3 in start (in firefox-bin) + 51
    #77 0x0 in 0x0000000100000000 (in firefox-bin)
Stats: 496M malloced (400M for red zones) by 726592 calls
Stats: 58M realloced by 23004 calls
Stats: 434M freed by 540537 calls
Stats: 292M really freed by 249088 calls
Stats: 668M (171111 full pages) mmaped in 152 calls
  mmaps   by size class: 8:409575; 9:65528; 10:24570; 11:20470; 12:6144; 13:3584; 14:1536; 15:1024; 16:448; 17:1280; 18:176; 19:40; 20:24; 21:4; 24:5;
  mallocs by size class: 8:539164; 9:92472; 10:47081; 11:28122; 12:7993; 13:5222; 14:2319; 15:1516; 16:740; 17:1650; 18:231; 19:46; 20:28; 21:3; 24:6;
  frees   by size class: 8:384763; 9:73650; 10:40802; 11:24430; 12:6493; 13:4583; 14:2032; 15:1435; 16:584; 17:1621; 18:69; 19:43; 20:24; 21:3; 24:6;
  rfrees  by size class: 8:152462; 9:38958; 10:27651; 11:20141; 12:2957; 13:2477; 14:1508; 15:1035; 16:431; 17:1344; 18:59; 19:41; 20:21; 24:3;
Stats: malloc large: 2047 small slow: 3969
Flags: needinfo?(mwobensmith)
Mats how bad is this?
Flags: needinfo?(matspal)
WFM, m-c ASan debug build on Linux64.
I'm pretty sure this was fixed by bug 814995.
Assignee: nobody → matspal
Severity: normal → critical
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Depends on: 814995
Flags: needinfo?(matspal) → in-testsuite?
Keywords: crash, testcase
OS: Windows 7 → All
Hardware: x86_64 → All
Resolution: --- → FIXED
Whiteboard: [sg:dupe 814995][fixed by bug 814995]
Target Milestone: --- → mozilla20
Keywords: sec-other
Whiteboard: [sg:dupe 814995][fixed by bug 814995] → [fixed by bug 814995]
Whiteboard: [fixed by bug 814995] → [fixed by bug 814995][adv-main20+]
Whiteboard: [fixed by bug 814995][adv-main20+] → [fixed by bug 814995][adv-main20-]
Landed the crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2f406ead9a4c
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.