Closed Bug 824719 Opened 12 years ago Closed 11 years ago

Heap-use-after-free in nsINode::GetBoolFlag

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla20
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 + verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: attekett, Assigned: smontagu)

References

Details

(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [asan][sg:dupe 819623][adv-main20-]) 

Recently there has been few other bugs with similar stack-trace. Bugs 815500, 816253 and 819014. Those three are currently "resolved fixed" and the patches should be applied, but this crash still occurs on my machines. 

Tested on ASAN-build from https://people.mozilla.com/~choller/firefox/asan/20121226-mozilla-central-linux64-debug-5a1f68dbd885+asan.html

Repro-file:

<!DOCTYPE html>
<html>
<div id='console'></div>
<div id='parentDiv'>
<div id='right-to-left1' dir=auto class=testElement>
<input type=text value="a">a
</div>
<div id='right-to-left2' dir=auto class=testElement>
</div>
</div>

<script type="text/javascript"> 

document.getElementById("right-to-left2").appendChild(document.createElement("p"))
var test5=document.getElementById("right-to-left1")
var test6=document.getElementById("console").appendChild(document.createElement("dl"))

test6.appendChild(document.createElement("img"))

test5.parentNode.removeChild(test5)
test5.innerHTML=''
test5.appendChild(test6.cloneNode(true))
</script>

</body>
</html>


ASAN-report:

==17144== ERROR: AddressSanitizer heap-use-after-free on address 0x7f33ad6928ac at pc 0x7f33cae8a91d bp 0x7fff920c2290 sp 0x7fff920c2288
READ of size 4 at 0x7f33ad6928ac thread T0
    #0 0x7f33cae8a91c in nsINode::GetBoolFlag(nsINode::BooleanFlag) const /builds/slave/try-lnx64-dbg/build/../../dist/include/nsINode.h:1343
    #1 0x7f33cb52362d in nsINode::HasTextNodeDirectionalityMap() const /builds/slave/try-lnx64-dbg/build/../../../dist/include/nsINode.h:1426
    #2 0x7f33cb522de1 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:532
    #3 0x7f33cb5231c8 in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:641
    #4 0x7f33cb662589 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/Element.cpp:1173
    #5 0x7f33cb8904ea in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/html/content/src/nsGenericHTMLElement.cpp:603
    #6 0x7f33cb68a34c in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /builds/slave/try-lnx64-dbg/build/content/base/src/nsINode.cpp:1322
    #7 0x7f33cb68c2da in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/slave/try-lnx64-dbg/build/content/base/src/nsINode.cpp:1926
    #8 0x7f33cd3ab3a7 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/NodeBinding.cpp:549
    #9 0x7f33cd3a8259 in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/NodeBinding.cpp:1350
    #10 0x7f33ce822e2b in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/try-lnx64-dbg/build/js/src/jscntxtinlines.h:373
.
.
.
freed by thread T0 here:
    #0 0x43f1a0 in operator delete(void*) ??:0
    #1 0x7f33cb6af45c in nsNodeUtils::LastRelease(nsINode*) /builds/slave/try-lnx64-dbg/build/content/base/src/nsNodeUtils.cpp:258
    #2 0x7f33cb6787d7 in nsGenericDOMDataNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsGenericDOMDataNode.cpp:117
    #3 0x7f33cb6f43ae in nsTextNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsTextNode.cpp:127
    #4 0x7f33cb73ac80 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/FragmentOrElement.cpp:890
    #5 0x7f33cb66b093 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/try-lnx64-dbg/build/content/base/src/Element.cpp:3387
    #6 0x7f33cd344b4f in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/ElementBinding.cpp:1560
    #7 0x7f33cd343785 in mozilla::dom::ElementBinding::genericSetter(JSContext*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/ElementBinding.cpp:1895
    #8 0x7f33ce822e2b in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/try-lnx64-dbg/build/js/src/jscntxtinlines.h:373
    #9 0x7f33ce822413 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.cpp:391
    #10 0x7f33ce6db299 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.h:112
.
.
.
Component: General → Layout: Text
Product: Firefox → Core
I'm going to go ahead and guess that this is another regression from bug 548206. Please update as appropriate if this turns out to not be the case.
Blocks: DirAuto
status-firefox20: --- → affected
Keywords: csec-uaf, regression, sec-critical
Whiteboard: [asan]
There's a good chance this is the same issue as bug 815276 under the hood...
tracking-firefox20: --- → ?
Depends on: 815276
Fixed by the patch for bug 819623, but not duping for now so that it gets QA love.
Assignee: nobody → smontagu
Depends on: 819623
Whiteboard: [asan] → [asan][sg:dupe 819623]
What is the QA love you are wanting here since it isn't marked QA wanted or anything?
I think he means verification.
Keywords: verifyme
Yes, but I wasn't going to add verifyme until 819623 is fixed. Right now there is nothing to verify in nightlies.
Sure, but I think QA doesn't look at things with verifyme until the are closed, so we can just leave the flag here until this is fixed.
QA love has arrived. 

Linux ASan build from today still crashes on code snippet in comment 0.

http://people.mozilla.org/~choller/firefox/asan/20121231-mozilla-central-linux64-opt-0d771761b9b3+asan.html

Simon, would you mind taking a look? Thanks.
Please read comments 6 and 7 again. This is expected to go on crashing until attachment 694559 [details] [diff] [review] from bug 819623 gets reviewed and checked in.
Checked in the testcase, since it is reproducable on a standard build, unlike bug 819623.
https://hg.mozilla.org/integration/mozilla-inbound/rev/a1fd60b9fab0
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Is the status-firefox20 here still true?  (I think not, but I'm not sure.)
QA, please verify that this is fixed since bug 819623 is marked fixed (might want to verify it too).
Flags: needinfo?(mwobensmith)
https://hg.mozilla.org/mozilla-central/rev/a1fd60b9fab0
Flags: in-testsuite+
Target Milestone: --- → mozilla20
Confirmed crash on central, ASan build 2012-12-26.
Confirmed fixed on central, ASan build 2012-01-10.
Confirmed fixed on central, release build 2012-01-10.
Status: RESOLVED → VERIFIED
status-firefox20: fixedverified
Flags: needinfo?(mwobensmith)
Keywords: verifyme
Whiteboard: [asan][sg:dupe 819623] → [asan][sg:dupe 819623][adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.