Closed
Bug 824719
Opened 12 years ago
Closed 11 years ago
Heap-use-after-free in nsINode::GetBoolFlag
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
VERIFIED
FIXED
mozilla20
Tracking | Status | |
---|---|---|
firefox19 | --- | unaffected |
firefox20 | + | verified |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: attekett, Assigned: smontagu)
References
Details
(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [asan][sg:dupe 819623][adv-main20-])
Recently there has been few other bugs with similar stack-trace. Bugs 815500, 816253 and 819014. Those three are currently "resolved fixed" and the patches should be applied, but this crash still occurs on my machines. Tested on ASAN-build from https://people.mozilla.com/~choller/firefox/asan/20121226-mozilla-central-linux64-debug-5a1f68dbd885+asan.html Repro-file: <!DOCTYPE html> <html> <div id='console'></div> <div id='parentDiv'> <div id='right-to-left1' dir=auto class=testElement> <input type=text value="a">a </div> <div id='right-to-left2' dir=auto class=testElement> </div> </div> <script type="text/javascript"> document.getElementById("right-to-left2").appendChild(document.createElement("p")) var test5=document.getElementById("right-to-left1") var test6=document.getElementById("console").appendChild(document.createElement("dl")) test6.appendChild(document.createElement("img")) test5.parentNode.removeChild(test5) test5.innerHTML='' test5.appendChild(test6.cloneNode(true)) </script> </body> </html> ASAN-report: ==17144== ERROR: AddressSanitizer heap-use-after-free on address 0x7f33ad6928ac at pc 0x7f33cae8a91d bp 0x7fff920c2290 sp 0x7fff920c2288 READ of size 4 at 0x7f33ad6928ac thread T0 #0 0x7f33cae8a91c in nsINode::GetBoolFlag(nsINode::BooleanFlag) const /builds/slave/try-lnx64-dbg/build/../../dist/include/nsINode.h:1343 #1 0x7f33cb52362d in nsINode::HasTextNodeDirectionalityMap() const /builds/slave/try-lnx64-dbg/build/../../../dist/include/nsINode.h:1426 #2 0x7f33cb522de1 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:532 #3 0x7f33cb5231c8 in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:641 #4 0x7f33cb662589 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/Element.cpp:1173 #5 0x7f33cb8904ea in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/html/content/src/nsGenericHTMLElement.cpp:603 #6 0x7f33cb68a34c in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /builds/slave/try-lnx64-dbg/build/content/base/src/nsINode.cpp:1322 #7 0x7f33cb68c2da in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/slave/try-lnx64-dbg/build/content/base/src/nsINode.cpp:1926 #8 0x7f33cd3ab3a7 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/NodeBinding.cpp:549 #9 0x7f33cd3a8259 in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/NodeBinding.cpp:1350 #10 0x7f33ce822e2b in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/try-lnx64-dbg/build/js/src/jscntxtinlines.h:373 . . . freed by thread T0 here: #0 0x43f1a0 in operator delete(void*) ??:0 #1 0x7f33cb6af45c in nsNodeUtils::LastRelease(nsINode*) /builds/slave/try-lnx64-dbg/build/content/base/src/nsNodeUtils.cpp:258 #2 0x7f33cb6787d7 in nsGenericDOMDataNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsGenericDOMDataNode.cpp:117 #3 0x7f33cb6f43ae in nsTextNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsTextNode.cpp:127 #4 0x7f33cb73ac80 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/FragmentOrElement.cpp:890 #5 0x7f33cb66b093 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/try-lnx64-dbg/build/content/base/src/Element.cpp:3387 #6 0x7f33cd344b4f in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/ElementBinding.cpp:1560 #7 0x7f33cd343785 in mozilla::dom::ElementBinding::genericSetter(JSContext*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/ElementBinding.cpp:1895 #8 0x7f33ce822e2b in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/try-lnx64-dbg/build/js/src/jscntxtinlines.h:373 #9 0x7f33ce822413 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.cpp:391 #10 0x7f33ce6db299 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.h:112 . . .
Component: General → Layout: Text
Product: Firefox → Core
Comment 1•12 years ago
|
||
I'm going to go ahead and guess that this is another regression from bug 548206. Please update as appropriate if this turns out to not be the case.
Comment 2•12 years ago
|
||
There's a good chance this is the same issue as bug 815276 under the hood...
tracking-firefox20:
--- → ?
Depends on: 815276
Assignee | ||
Comment 3•12 years ago
|
||
Fixed by the patch for bug 819623, but not duping for now so that it gets QA love.
Assignee: nobody → smontagu
Depends on: 819623
Updated•12 years ago
|
Whiteboard: [asan] → [asan][sg:dupe 819623]
Comment 4•12 years ago
|
||
What is the QA love you are wanting here since it isn't marked QA wanted or anything?
Assignee | ||
Comment 6•12 years ago
|
||
Yes, but I wasn't going to add verifyme until 819623 is fixed. Right now there is nothing to verify in nightlies.
Comment 7•12 years ago
|
||
Sure, but I think QA doesn't look at things with verifyme until the are closed, so we can just leave the flag here until this is fixed.
Comment 8•12 years ago
|
||
QA love has arrived. Linux ASan build from today still crashes on code snippet in comment 0. http://people.mozilla.org/~choller/firefox/asan/20121231-mozilla-central-linux64-opt-0d771761b9b3+asan.html Simon, would you mind taking a look? Thanks.
Assignee | ||
Comment 9•12 years ago
|
||
Please read comments 6 and 7 again. This is expected to go on crashing until attachment 694559 [details] [diff] [review] from bug 819623 gets reviewed and checked in.
Updated•12 years ago
|
Assignee | ||
Comment 10•11 years ago
|
||
Checked in the testcase, since it is reproducable on a standard build, unlike bug 819623. https://hg.mozilla.org/integration/mozilla-inbound/rev/a1fd60b9fab0
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Is the status-firefox20 here still true? (I think not, but I'm not sure.)
Comment 12•11 years ago
|
||
QA, please verify that this is fixed since bug 819623 is marked fixed (might want to verify it too).
Flags: needinfo?(mwobensmith)
Comment 13•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a1fd60b9fab0
Flags: in-testsuite+
Target Milestone: --- → mozilla20
Assignee | ||
Updated•11 years ago
|
Comment 14•11 years ago
|
||
Confirmed crash on central, ASan build 2012-12-26. Confirmed fixed on central, ASan build 2012-01-10. Confirmed fixed on central, release build 2012-01-10.
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Flags: sec-bounty-
Updated•11 years ago
|
Whiteboard: [asan][sg:dupe 819623] → [asan][sg:dupe 819623][adv-main20-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•