Heap-use-after-free in nsFrameList::InsertFrames

RESOLVED DUPLICATE of bug 812893

Status

()

Core
Layout
RESOLVED DUPLICATE of bug 812893
5 years ago
3 years ago

People

(Reporter: Abhishek Arya, Assigned: mats)

Tracking

(4 keywords)

Trunk
x86_64
All
assertion, crash, sec-critical, testcase
Points:
---
Bug Flags:
sec-bounty -
in-testsuite ?

Firefox Tracking Flags

(firefox21+ fixed)

Details

(Whiteboard: [asan][sg:dupe 812893][adv-main21-])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 691618 [details]
Testcase

==18754== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fe1a3eff8c0 at pc 0x7fe1bd5c3f18 bp 0x7ffface44c30 sp 0x7ffface44c28
READ of size 8 at 0x7fe1a3eff8c0 thread T0
    #0 0x7fe1bd5c3f17 in nsFrameList::InsertFrames(nsIFrame*, nsIFrame*, nsFrameList&) src/layout/generic/nsFrameList.cpp:200
    #1 0x7fe1bcc4c32f in nsFrameList::InsertFrame(nsIFrame*, nsIFrame*, nsIFrame*) src/layout/xul/base/src/../../../generic/nsFrameList.h:184
    #2 0x7fe1bd4cf344 in nsOverflowContinuationTracker::Insert(nsIFrame*, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1675
    #3 0x7fe1bd4cd7cf in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1169
    #4 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016
    #5 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952
    #6 0x7fe1bd4cc6d0 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1132
    #7 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016
    #8 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952
    #9 0x7fe1bd4aa363 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:649
    #10 0x7fe1bd4b071b in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsColumnSetFrame.cpp:928
    #11 0x7fe1bd46ac20 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268
    #12 0x7fe1bd40d6ad in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3099
    #13 0x7fe1bd4023f9 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2478
    #14 0x7fe1bd3e9507 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:1998
    #15 0x7fe1bd3dc753 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1041
    #16 0x7fe1bd46ac20 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268
    #17 0x7fe1bd40d6ad in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3099
    #18 0x7fe1bd4023f9 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2478
    #19 0x7fe1bd3e9507 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:1998
    #20 0x7fe1bd3dc753 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1041
    #21 0x7fe1bd46ac20 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268
    #22 0x7fe1bd40d6ad in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3099
    #23 0x7fe1bd4023f9 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2478
    #24 0x7fe1bd3e9507 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:1998
    #25 0x7fe1bd3dc753 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1041
    #26 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952
    #27 0x7fe1bd6989c6 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsCanvasFrame.cpp:472
    #28 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952
    #29 0x7fe1bd60fd28 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) src/layout/generic/nsGfxScrollFrame.cpp:433
    #30 0x7fe1bd614886 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) src/layout/generic/nsGfxScrollFrame.cpp:533
    #31 0x7fe1bd618f20 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsGfxScrollFrame.cpp:774
    #32 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952
    #33 0x7fe1bda07faa in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsViewportFrame.cpp:202
    #34 0x7fe1bd13d80b in PresShell::DoReflow(nsIFrame*, bool) src/layout/base/nsPresShell.cpp:7532
    #35 0x7fe1bd16cbdd in PresShell::ProcessReflowCommands(bool) src/layout/base/nsPresShell.cpp:7673
    #36 0x7fe1bd16b72e in PresShell::FlushPendingNotifications(mozFlushType) src/layout/base/nsPresShell.cpp:3885
    #37 0x7fe1bd211954 in nsRefreshDriver::Notify(nsITimer*) src/layout/base/nsRefreshDriver.cpp:406
    #38 0x7fe1c9cf3103 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:485
    #39 0x7fe1c9cf44a1 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:565
    #40 0x7fe1c9cb714e in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
    #41 0x7fe1c992d0ff in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:221
    #42 0x7fe1c7b482e6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #43 0x7fe1c9fa2c6e in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
    #44 0x7fe1c9fa2ab5 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
    #45 0x7fe1c9fa299b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
    #46 0x7fe1c6f45d54 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
    #47 0x7fe1c5a83142 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:291
    #48 0x7fe1bae95b24 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3824
    #49 0x7fe1bae9b7f9 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3891
    #50 0x7fe1bae9e570 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4089
    #51 0x40c2c6 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174
    #52 0x409b00 in main src/browser/app/nsBrowserApp.cpp:279
    #53 0x7fe1da2df76c in
0x7fe1a3eff8c0 is located 0 bytes inside of 16-byte region [0x7fe1a3eff8c0,0x7fe1a3eff8d0)
freed by thread T0 here:
    #0 0x4c3960 in free
    #1 0x7fe1db2ef4b5 in moz_free src/memory/mozalloc/mozalloc.cpp:48
    #2 0x7fe1bd4d12e8 in operator delete(void*) src/../../dist/include/mozilla/mozalloc.h:224
    #3 0x7fe1bd4d12e8 in nsContainerFrame::RemovePropTableFrame(nsPresContext*, nsIFrame*, mozilla::FramePropertyDescriptor const*) src/layout/generic/nsContainerFrame.cpp:1422
    #4 0x7fe1bd4d0783 in nsContainerFrame::StealFrame(nsPresContext*, nsIFrame*, bool) src/layout/generic/nsContainerFrame.cpp:1212
    #5 0x7fe1bd4485bc in nsBlockFrame::StealFrame(nsPresContext*, nsIFrame*, bool) src/layout/generic/nsBlockFrame.cpp:5540
    #6 0x7fe1bd4d2dac in nsContainerFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) src/layout/generic/nsContainerFrame.cpp:1359
    #7 0x7fe1bd44a440 in nsBlockFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) src/layout/generic/nsBlockFrame.cpp:5627
    #8 0x7fe1bd4c938b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:964
    #9 0x7fe1bd4cc6d0 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1132
    #10 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016
    #11 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952
    #12 0x7fe1bd4cc6d0 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1132
    #13 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016
    #14 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952
    #15 0x7fe1bd4aa363 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:649
previously allocated by thread T0 here:
    #0 0x4c3a20 in malloc
    #1 0x7fe1db2ef5f1 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
    #2 0x7fe1bd4cec9f in operator new(unsigned long) src/../../dist/include/mozilla/mozalloc.h:200
    #3 0x7fe1bd4cec9f in nsOverflowContinuationTracker::Insert(nsIFrame*, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1664
    #4 0x7fe1bd4cd7cf in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1169
    #5 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016
    #6 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952
    #7 0x7fe1bd4cc6d0 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1132
    #8 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016
    #9 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952
Shadow byte and word:
  0x1ffc347dff18: fd
  0x1ffc347dff18: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ffc347dfef8: fd fd fd fd fd fd fd fd
  0x1ffc347dff00: fa fa fa fa fa fa fa fa
  0x1ffc347dff08: fd fd fd fd fd fd fd fd
  0x1ffc347dff10: fa fa fa fa fa fa fa fa
=>0x1ffc347dff18: fd fd fd fd fd fd fd fd
  0x1ffc347dff20: fa fa fa fa fa fa fa fa
  0x1ffc347dff28: 00 00 00 00 fb fb fb fb
  0x1ffc347dff30: fa fa fa fa fa fa fa fa
  0x1ffc347dff38: 00 00 fb fb fb fb fb fb
Stats: 248M malloced (227M for red zones) by 335899 calls
Stats: 46M realloced by 17937 calls
Stats: 223M freed by 225009 calls
Stats: 189M really freed by 165935 calls
Stats: 229M (58700 full pages) mmaped in 435 calls
  mmaps   by size class: 7:106470; 8:42987; 9:14322; 10:6132; 11:7650; 12:1280; 13:832; 14:512; 15:224; 16:720; 17:464; 18:34; 19:35; 20:21;
  mallocs by size class: 7:194636; 8:82680; 9:23231; 10:8865; 11:17593; 12:2266; 13:1768; 14:1596; 15:403; 16:1333; 17:1396; 18:70; 19:40; 20:22;
  frees   by size class: 7:123292; 8:55530; 9:17070; 10:5819; 11:15789; 12:1532; 13:1552; 14:1415; 15:281; 16:1234; 17:1381; 18:57; 19:38; 20:19;
  rfrees  by size class: 7:92112; 8:41051; 9:12619; 10:2922; 11:11468; 12:1026; 13:983; 14:1253; 15:219; 16:863; 17:1314; 18:49; 19:37; 20:19;
Stats: malloc large: 3264 small slow: 4711
==18754== ABORTING
Component: General → Layout
Product: Firefox → Core
Isn't frame-poisoning supposed to protect us from this kind of thing? Or does that not apply to nsFrameLists?
Flags: sec-bounty?
Keywords: crash, testcase
Keywords: sec-critical
Mats, can you help this one get love?
Assignee: nobody → matspal
Whiteboard: [asan]
(Assignee)

Comment 4

5 years ago
The testcase doesn't crash for me (m-c ASan debug Linux64), but I do get this:
###!!! ASSERTION: overflow container must not have computedHeightLeftOver: '!( IS_TRUE_OVERFLOW_CONTAINER(this) && computedHeightLeftOver )', file layout/generic/nsBlockFrame.cpp, line 1353

With my tentative fix for bug 812893 the assertion does not occur, so I think
it's the same underlying bug.
Depends on: 812893
Flags: in-testsuite?
Keywords: assertion
Abhishek: is this fixed by the patch in bug 812893?
status-firefox21: --- → affected
tracking-firefox21: --- → +
Flags: needinfo?(inferno)
(Reporter)

Comment 6

5 years ago
(In reply to Daniel Veditz [:dveditz] from comment #5)
> Abhishek: is this fixed by the patch in bug 812893?

Verified on trunk with patch from 812893 that the crash does not reproduce anymore.
Flags: needinfo?(inferno)
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox21: affected → fixed
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
Whiteboard: [asan] → [asan][sg:dupe 812893]
Duplicate of bug: 812893
Whiteboard: [asan][sg:dupe 812893] → [asan][sg:dupe 812893][adv-main21-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.