crash @nsVoidArray::IndexOf seems to originate in nsHTMLEditRules

RESOLVED DUPLICATE of bug 803853

Status

()

defect
--
critical
RESOLVED DUPLICATE of bug 803853
7 years ago
7 years ago

People

(Reporter: nils, Unassigned)

Tracking

({crash, testcase})

17 Branch
x86_64
Windows 8
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 803853])

Attachments

(1 attachment)

The attached file crashes the current stable with unmapped memory access on a range of addresses.

See stack backtraces on linux and windows below:

Linux gdb output:
Program received signal SIGSEGV, Segmentation fault.
nsVoidArray::IndexOf (this=0x7fffca252cb0, aPossibleElement=0x7fffc83eb078) at /build/buildd/firefox-17.0.1+build1/obj-x86_64-linux-gnu/xpcom/build/nsVoidArray.cpp:401
401	/build/buildd/firefox-17.0.1+build1/obj-x86_64-linux-gnu/xpcom/build/nsVoidArray.cpp: No such file or directory.
(gdb) x/10i $rip
=> 0x7ffff42b1277 <nsVoidArray::IndexOf(void*) const+29>:	cmp    %rsi,(%rax)
   0x7ffff42b127a <nsVoidArray::IndexOf(void*) const+32>:	jne    0x7ffff42b1284 <nsVoidArray::IndexOf(void*) const+42>
   0x7ffff42b127c <nsVoidArray::IndexOf(void*) const+34>:	sub    %rcx,%rax
   0x7ffff42b127f <nsVoidArray::IndexOf(void*) const+37>:	shr    $0x3,%rax
   0x7ffff42b1283 <nsVoidArray::IndexOf(void*) const+41>:	retq   
   0x7ffff42b1284 <nsVoidArray::IndexOf(void*) const+42>:	add    $0x8,%rax
   0x7ffff42b1288 <nsVoidArray::IndexOf(void*) const+46>:	cmp    %rdx,%rax
   0x7ffff42b128b <nsVoidArray::IndexOf(void*) const+49>:	jb     0x7ffff42b1277 <nsVoidArray::IndexOf(void*) const+29>
   0x7ffff42b128d <nsVoidArray::IndexOf(void*) const+51>:	or     $0xffffffff,%eax
   0x7ffff42b1290 <nsVoidArray::IndexOf(void*) const+54>:	retq   
(gdb) info reg
rax            0x7fffca700000	140736589725696
rbx            0x7fffca252cb0	140736584821936
rcx            0x7fffca6fe608	140736589719048
rdx            0x7fffca73e600	140736589981184
rsi            0x7fffc83eb078	140736552939640
rdi            0x7fffca252cb0	140736584821936
rbp            0x7fffc83eb000	0x7fffc83eb000
rsp            0x7fffffffa2a8	0x7fffffffa2a8
r8             0x7ffff7ec6040	140737352851520
r9             0x2cf4	11508
r10            0x7ffff7ec6370	140737352852336
r11            0x7ffff7ec6370	140737352852336
r12            0x7fffe8dbf320	140737100116768
r13            0x2	2
r14            0x7fffc73e1600	140736536122880
r15            0x0	0
rip            0x7ffff42b1277	0x7ffff42b1277 <nsVoidArray::IndexOf(void*) const+29>
eflags         0x10287	[ CF PF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

(gdb) bt 40
#0  nsVoidArray::IndexOf (this=0x7fffca252cb0, aPossibleElement=0x7fffc83eb078) at /build/buildd/firefox-17.0.1+build1/obj-x86_64-linux-gnu/xpcom/build/nsVoidArray.cpp:401
#1  0x00007ffff42b14e7 in nsVoidArray::RemoveElement (this=0x7fffca252cb0, aElement=<optimised out>)
    at /build/buildd/firefox-17.0.1+build1/obj-x86_64-linux-gnu/xpcom/build/nsVoidArray.cpp:614
#2  0x00007ffff42aef2e in nsCOMArray_base::RemoveObject (this=<optimised out>, aObject=0x7fffc83eb078)
    at /build/buildd/firefox-17.0.1+build1/obj-x86_64-linux-gnu/xpcom/build/nsCOMArray.cpp:90
#3  0x00007ffff3d5d97b in RemoveObject (aObject=<optimised out>, this=<optimised out>) at ../../../dist/include/nsCOMArray.h:241
#4  nsEditor::RemoveEditActionListener (this=<optimised out>, aListener=<optimised out>) at /build/buildd/firefox-17.0.1+build1/editor/libeditor/base/nsEditor.cpp:1879
#5  0x00007ffff3dce718 in nsHTMLEditRules::~nsHTMLEditRules (this=0x7fffc83eb000, __in_chrg=<optimised out>)
    at /build/buildd/firefox-17.0.1+build1/editor/libeditor/html/nsHTMLEditRules.cpp:212
#6  0x00007ffff3dce77f in nsHTMLEditRules::~nsHTMLEditRules (this=0x7fffc83eb000, __in_chrg=<optimised out>)
    at /build/buildd/firefox-17.0.1+build1/editor/libeditor/html/nsHTMLEditRules.cpp:213
#7  0x00007ffff3d5a6e6 in nsTextEditRules::Release (this=0x7fffc83eb000) at /build/buildd/firefox-17.0.1+build1/editor/libeditor/text/nsTextEditRules.cpp:93
#8  0x00007ffff3de290e in nsRunnableMethodReceiver<nsHTMLEditRules, true>::Revoke (this=0x7fffca5af9e0) at ../../../dist/include/nsThreadUtils.h:304
#9  0x00007ffff3de2939 in ~nsRunnableMethodReceiver (this=0x7fffca5af9e0, __in_chrg=<optimised out>) at ../../../dist/include/nsThreadUtils.h:303
#10 nsRunnableMethodImpl<void (nsHTMLEditRules::*)(), true>::~nsRunnableMethodImpl (this=<optimised out>, __in_chrg=<optimised out>) at ../../../dist/include/nsThreadUtils.h:333
#11 0x00007ffff3de294f in nsRunnableMethodImpl<void (nsHTMLEditRules::*)(), true>::~nsRunnableMethodImpl (this=0x7fffca5af9d0, __in_chrg=<optimised out>)
    at ../../../dist/include/nsThreadUtils.h:333
#12 0x00007ffff42b1a4a in Release (this=<optimised out>) at /build/buildd/firefox-17.0.1+build1/obj-x86_64-linux-gnu/xpcom/build/nsThreadUtils.cpp:30
#13 nsRunnable::Release (this=<optimised out>) at /build/buildd/firefox-17.0.1+build1/obj-x86_64-linux-gnu/xpcom/build/nsThreadUtils.cpp:30
#14 0x00007ffff3ad5cb9 in ~nsCOMPtr (this=0x7fffca47cc90, __in_chrg=<optimised out>) at ../../../dist/include/nsCOMPtr.h:447
#15 Destruct (e=0x7fffca47cc90) at ../../../dist/include/nsTArray.h:360
#16 DestructRange (count=<optimised out>, start=<optimised out>, this=0x7fffe396c478) at ../../../dist/include/nsTArray.h:1225
#17 nsTArray<nsCOMPtr<nsIRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt (this=0x7fffe396c478, start=<optimised out>, count=<optimised out>)
    at ../../../dist/include/nsTArray.h:945
#18 0x00007ffff3ad5d72 in nsContentUtils::RemoveScriptBlocker () at /build/buildd/firefox-17.0.1+build1/content/base/src/nsContentUtils.cpp:4980
#19 0x00007ffff3afb943 in nsDocument::EndUpdate (this=0x7fffc950f800, aUpdateType=1) at /build/buildd/firefox-17.0.1+build1/content/base/src/nsDocument.cpp:4012
#20 0x00007ffff3c1e379 in nsHTMLDocument::EndUpdate (this=0x7fffc950f800, aUpdateType=<optimised out>)
    at /build/buildd/firefox-17.0.1+build1/content/html/document/src/nsHTMLDocument.cpp:2350
#21 0x00007ffff3a2e4f4 in mozAutoDocUpdate::~mozAutoDocUpdate (this=<optimised out>, __in_chrg=<optimised out>)
    at /build/buildd/firefox-17.0.1+build1/layout/style/../../content/base/src/mozAutoDocUpdate.h:35
#22 0x00007ffff3b1386d in nsINode::ReplaceOrInsertBefore (this=0x7fffca47c680, aReplace=false, aNewChild=<optimised out>, aRefChild=<optimised out>)
    at /build/buildd/firefox-17.0.1+build1/content/base/src/nsINode.cpp:1895
#23 0x00007ffff3f4a836 in ReplaceOrInsertBefore (aReplace=false, aReturn=<synthetic pointer>, aRefChild=0x0, aNewChild=0x7fffc73e1660, this=0x7fffca47c680)
    at ../../../dist/include/nsINode.h:1464
#24 InsertBefore (aReturn=<synthetic pointer>, aRefChild=0x0, aNewChild=0x7fffc73e1660, this=0x7fffca47c680) at ../../../dist/include/nsINode.h:488
#25 AppendChild (aReturn=<synthetic pointer>, aNewChild=0x7fffc73e1660, this=0x7fffca47c680) at ../../../dist/include/nsINode.h:498
#26 nsIDOMNode_AppendChild (cx=0x7fffcd3d43e0, argc=<optimised out>, vp=0x7fffdf9ff138)
    at /build/buildd/firefox-17.0.1+build1/obj-x86_64-linux-gnu/js/xpconnect/src/dom_quickstubs.cpp:5531
#27 0x00007ffff47098c8 in CallJSNative (args=..., native=<optimised out>, cx=0x7fffcd3d43e0) at /build/buildd/firefox-17.0.1+build1/js/src/jscntxtinlines.h:372
#28 js::InvokeKernel (cx=0x7fffcd3d43e0, args=..., construct=js::NO_CONSTRUCT) at /build/buildd/firefox-17.0.1+build1/js/src/jsinterp.cpp:352
#29 0x00007ffff470a0bb in Invoke (construct=js::NO_CONSTRUCT, args=..., cx=0x7fffcd3d43e0) at /build/buildd/firefox-17.0.1+build1/js/src/jsinterp.h:119
#30 js::Invoke (cx=0x7fffcd3d43e0, thisv=..., fval=..., argc=1, argv=<optimised out>, rval=0x7fffffffab78) at /build/buildd/firefox-17.0.1+build1/js/src/jsinterp.cpp:396
#31 0x00007ffff474f54e in js::IndirectProxyHandler::call (this=<optimised out>, cx=0x7fffcd3d43e0, proxy=0x7fffca18f280, argc=1, vp=0x7fffdf9ff120)
    at /build/buildd/firefox-17.0.1+build1/js/src/jsproxy.cpp:483
#32 0x00007ffff47be555 in call (vp=0x7fffdf9ff120, argc=1, wrapper=0x7fffca18f280, cx=0x7fffcd3d43e0, this=0x7ffff579d760)
    at /build/buildd/firefox-17.0.1+build1/js/src/jswrapper.cpp:404
#33 js::DirectWrapper::call (this=0x7ffff579d760, cx=0x7fffcd3d43e0, wrapper=0x7fffca18f280, argc=1, vp=0x7fffdf9ff120) at /build/buildd/firefox-17.0.1+build1/js/src/jswrapper.cpp:400
#34 0x00007ffff47bfd87 in js::CrossCompartmentWrapper::call (this=0x7ffff579d760, cx=0x7fffcd3d43e0, wrapper_=0x7fffca18f280, argc=1, vp=0x7fffdf9ff120)
    at /build/buildd/firefox-17.0.1+build1/js/src/jswrapper.cpp:736
---Type <return> to continue, or q <return> to quit---
#35 0x00007ffff4754c03 in js::Proxy::call (cx=<optimised out>, proxy=<optimised out>, argc=<optimised out>, vp=<optimised out>)
    at /build/buildd/firefox-17.0.1+build1/js/src/jsproxy.cpp:1332
#36 0x00007ffff4754c5d in proxy_Call (cx=<optimised out>, argc=<optimised out>, vp=<optimised out>) at /build/buildd/firefox-17.0.1+build1/js/src/jsproxy.cpp:1888
#37 0x00007ffff47098c8 in CallJSNative (args=..., native=<optimised out>, cx=0x7fffcd3d43e0) at /build/buildd/firefox-17.0.1+build1/js/src/jscntxtinlines.h:372
#38 js::InvokeKernel (cx=0x7fffcd3d43e0, args=..., construct=js::NO_CONSTRUCT) at /build/buildd/firefox-17.0.1+build1/js/src/jsinterp.cpp:352
#39 0x00007ffff47029c9 in js::Interpret (cx=<optimised out>, entryFrame=0x7fffdf9ff030, interpMode=js::JSINTERP_NORMAL) at /build/buildd/firefox-17.0.1+build1/js/src/jsinterp.cpp:2414
(More stack frames follow...)

Windows Stack:
xul!nsQueryReferent::operator()+0xf:
713f2daf 8b490c          mov     ecx,dword ptr [ecx+0Ch] ds:002b:454d4f50=????????
0:000:x86> cdb: Reading initial command 'kp 16;q'
ChildEBP RetAddr  
002abf7c 71403617 xul!nsQueryReferent::operator()(struct nsID * aIID = 0x71ef03ec, void ** answer = 0x7160c1e6)+0xf
002abf8c 71367819 xul!nsCOMPtr_base::assign_from_helper(class nsCOMPtr_helper * helper = 0x71ef03ec, struct nsID * iid = 0x7160c1e6)+0x17
002abfb0 7160c1e6 xul!nsEditor::GetPresShell(void)+0x2c
002abffc 7172803c xul!nsEditor::GetSelectionController+0x19d3c6
002ac000 713e4cec xul!nsRunnableMethodImpl<void (void)+0x13
002ac024 71401b9a xul!nsContentUtils::RemoveScriptBlocker(void)+0xbc
002ac048 713cd0ed xul!nsDocument::EndUpdate(unsigned int aUpdateType = 0x7f13780)+0xba
002ac054 7148171c xul!nsHTMLDocument::EndUpdate(unsigned int aUpdateType = 0x71545864)+0xd
002ac200 71545864 xul!nsINode::ReplaceOrInsertBefore(bool aReplace = false, class nsINode * aNewChild = 0x09978cc0, class nsINode * aRefChild = 0x00000000)+0x2ac
002ac210 714e77d7 xul!nsINode::AppendChild(class nsINode * aNewChild = 0x728075f9, unsigned int * aReturn = 0x07f58110)+0x10
*** WARNING: Unable to verify checksum for C:\newgenff\firefox\mozjs.dll
002ac324 728075f9 xul!nsIDOMNode_AppendChild(struct JSContext * cx = 0x07f58110, unsigned int argc = 1, class JS::Value * vp = 0x04ee00c8)+0x1a3
002ac398 727f8169 mozjs!js::InvokeKernel(struct JSContext * cx = 0x07f58110, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x59
002ac3e8 727ece3a mozjs!js::Invoke(struct JSContext * cx = 0x07f58110, class JS::Value * thisv = 0x04ee00b8, class JS::Value * fval = 0x058552c0, unsigned int argc = 1, class JS::Value * argv = 0x04ee00c0, class JS::Value * rval = 0x002ac440)+0x209
002ac44c 727e05e6 mozjs!js::CrossCompartmentWrapper::call(struct JSContext * cx = 0x07f58110, struct JSObject * wrapper_ = 0x05855290, unsigned int argc = 1, class JS::Value * vp = 0x04ee00b0)+0x13a
002ac474 72807c01 mozjs!proxy_Call(struct JSContext * cx = 0x727ff27a, unsigned int argc = 0x7f58110, class JS::Value * vp = 0x00000000)+0x66
002ac4e8 727ff27a mozjs!js::InvokeKernel(struct JSContext * cx = 0x07f58110, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x661
002acddc 727e1a2e mozjs!js::Interpret(struct JSContext * cx = 0x07f58110, class js::StackFrame * entryFrame = 0x04ee0020, js::InterpMode interpMode = JSINTERP_NORMAL (0n0))+0x96a
002ace0c 727ea19d mozjs!js::RunScript(struct JSContext * cx = 0x07f58110, struct JSScript * script = 0x05851c58, class js::StackFrame * fp = 0x04ee0020)+0x23e
002ace6c 7283d7ed mozjs!js::ExecuteKernel(struct JSContext * cx = 0x07f58110, class JS::Handle<JSScript *> script = class JS::Handle<JSScript *>, struct JSObject * scopeChain = 0x0584d040, class JS::Value * thisv = 0x002ace98, js::ExecuteType type = EXECUTE_GLOBAL (0n1), class js::StackFrame * evalInFrame = 0x00000000, class JS::Value * result = 0x00000000)+0x18d
002acea0 72842805 mozjs!js::Execute(struct JSContext * cx = 0x07f58110, class JS::Handle<JSScript *> script = class JS::Handle<JSScript *>, struct JSObject * scopeChainArg = 0x09ef3460, class JS::Value * rval = 0x00000000)+0x9d
002acefc 71369786 mozjs!JS::Evaluate(struct JSContext * cx = 0x07f58110, class JS::Handle<JSObject *> obj = class JS::Handle<JSObject *>, struct JS::CompileOptions options = struct JS::CompileOptions, wchar_t * chars = 0x07e3c580 "start_dataiframe0()", unsigned int length = 0x13, class JS::Value * rval = 0x00000000)+0xc5
002acfb8 7149e105 xul!nsJSContext::EvaluateString(class nsAString_internal * aScript = 0x002ad014, struct JSObject * aScopeObject = 0x0584d040, class nsIPrincipal * aPrincipal = 0x06497b80, class nsIPrincipal * aOriginPrincipal = 0x06497b80, char * aURL = 0x0961d7f8 "file:///c:/newgenff/repro/crash.js", unsigned int aLineNo = 0xe, JSVersion aVersion = JSVERSION_DEFAULT (0n0), class nsAString_internal * aRetValue = 0x00000000, bool * aIsUndefined = 0x002acfef)+0x286
Aryeh, can you look at this, please?  Thanks!
Assignee: nobody → ayg
Attachment #691492 - Attachment mime type: text/plain → text/html
Right now I can't guarantee any kind of availability, so please don't assign anything time-sensitive to me (e.g., security) for the time being.  Feel free to still CC me on things like this, though.  When I do have time to work, I'll make this sort of thing top priority if no one else has picked it up.
Assignee: ayg → nobody
Matt: please test this in more recent builds, bug 803853 is in this area of code and may have fixed this (checked-in Dec 6).
Flags: needinfo?(mwobensmith)
Keywords: crash, testcase
(If it still presents please cc Olli)
No crash in yesterday's nightly (2012-12-19), and no crash in nightly from 2012-12-12. I tried both ASan and release builds.

I was able to see the crash on builds dated before 2012-11-27, but haven't spent any time looking for an injection build between those dates.

Regardless, something appears to have fixed this crash already.
Flags: needinfo?(mwobensmith)
Asking Matt to regress pre and post-fix builds for bug 803853.
Flags: needinfo?(mwobensmith)
Confirmed the crash on m-c 2012-12-06, fixed on 2012-12-07. 

This suggests that the changes made for bug 803853 fixed this bug as well.
Flags: needinfo?(mwobensmith)
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 803853]
Duplicate of bug: CVE-2013-0766
Group: core-security
You need to log in before you can comment on or make changes to this bug.