Heap-use-after-free in nsINode::GetBoolFlag

VERIFIED FIXED in Firefox 20

Status

()

VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: attekett, Assigned: smontagu)

Tracking

({csectype-uaf, regression, sec-critical})

Trunk
mozilla20
x86_64
Linux
csectype-uaf, regression, sec-critical
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty -
in-testsuite +

Firefox Tracking Flags

(firefox19 unaffected, firefox20+ verified, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [asan][sg:dupe 819623][adv-main20-])

(Reporter)

Description

6 years ago
Recently there has been few other bugs with similar stack-trace. Bugs 815500, 816253 and 819014. Those three are currently "resolved fixed" and the patches should be applied, but this crash still occurs on my machines. 

Tested on ASAN-build from https://people.mozilla.com/~choller/firefox/asan/20121226-mozilla-central-linux64-debug-5a1f68dbd885+asan.html

Repro-file:

<!DOCTYPE html>
<html>
<div id='console'></div>
<div id='parentDiv'>
<div id='right-to-left1' dir=auto class=testElement>
<input type=text value="a">a
</div>
<div id='right-to-left2' dir=auto class=testElement>
</div>
</div>

<script type="text/javascript"> 

document.getElementById("right-to-left2").appendChild(document.createElement("p"))
var test5=document.getElementById("right-to-left1")
var test6=document.getElementById("console").appendChild(document.createElement("dl"))

test6.appendChild(document.createElement("img"))

test5.parentNode.removeChild(test5)
test5.innerHTML=''
test5.appendChild(test6.cloneNode(true))
</script>

</body>
</html>


ASAN-report:

==17144== ERROR: AddressSanitizer heap-use-after-free on address 0x7f33ad6928ac at pc 0x7f33cae8a91d bp 0x7fff920c2290 sp 0x7fff920c2288
READ of size 4 at 0x7f33ad6928ac thread T0
    #0 0x7f33cae8a91c in nsINode::GetBoolFlag(nsINode::BooleanFlag) const /builds/slave/try-lnx64-dbg/build/../../dist/include/nsINode.h:1343
    #1 0x7f33cb52362d in nsINode::HasTextNodeDirectionalityMap() const /builds/slave/try-lnx64-dbg/build/../../../dist/include/nsINode.h:1426
    #2 0x7f33cb522de1 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:532
    #3 0x7f33cb5231c8 in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:641
    #4 0x7f33cb662589 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/Element.cpp:1173
    #5 0x7f33cb8904ea in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/html/content/src/nsGenericHTMLElement.cpp:603
    #6 0x7f33cb68a34c in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /builds/slave/try-lnx64-dbg/build/content/base/src/nsINode.cpp:1322
    #7 0x7f33cb68c2da in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/slave/try-lnx64-dbg/build/content/base/src/nsINode.cpp:1926
    #8 0x7f33cd3ab3a7 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/NodeBinding.cpp:549
    #9 0x7f33cd3a8259 in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/NodeBinding.cpp:1350
    #10 0x7f33ce822e2b in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/try-lnx64-dbg/build/js/src/jscntxtinlines.h:373
.
.
.
freed by thread T0 here:
    #0 0x43f1a0 in operator delete(void*) ??:0
    #1 0x7f33cb6af45c in nsNodeUtils::LastRelease(nsINode*) /builds/slave/try-lnx64-dbg/build/content/base/src/nsNodeUtils.cpp:258
    #2 0x7f33cb6787d7 in nsGenericDOMDataNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsGenericDOMDataNode.cpp:117
    #3 0x7f33cb6f43ae in nsTextNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsTextNode.cpp:127
    #4 0x7f33cb73ac80 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/FragmentOrElement.cpp:890
    #5 0x7f33cb66b093 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/try-lnx64-dbg/build/content/base/src/Element.cpp:3387
    #6 0x7f33cd344b4f in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/ElementBinding.cpp:1560
    #7 0x7f33cd343785 in mozilla::dom::ElementBinding::genericSetter(JSContext*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/ElementBinding.cpp:1895
    #8 0x7f33ce822e2b in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/try-lnx64-dbg/build/js/src/jscntxtinlines.h:373
    #9 0x7f33ce822413 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.cpp:391
    #10 0x7f33ce6db299 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.h:112
.
.
.
I'm going to go ahead and guess that this is another regression from bug 548206. Please update as appropriate if this turns out to not be the case.
Blocks: 548206
status-firefox20: --- → affected
Keywords: csec-uaf, regression, sec-critical
Whiteboard: [asan]
There's a good chance this is the same issue as bug 815276 under the hood...
tracking-firefox20: --- → ?
Depends on: 815276
(Assignee)

Comment 3

6 years ago
Fixed by the patch for bug 819623, but not duping for now so that it gets QA love.
Assignee: nobody → smontagu
Depends on: 819623
Whiteboard: [asan] → [asan][sg:dupe 819623]
What is the QA love you are wanting here since it isn't marked QA wanted or anything?
I think he means verification.
Keywords: verifyme
(Assignee)

Comment 6

6 years ago
Yes, but I wasn't going to add verifyme until 819623 is fixed. Right now there is nothing to verify in nightlies.
Sure, but I think QA doesn't look at things with verifyme until the are closed, so we can just leave the flag here until this is fixed.
QA love has arrived. 

Linux ASan build from today still crashes on code snippet in comment 0.

http://people.mozilla.org/~choller/firefox/asan/20121231-mozilla-central-linux64-opt-0d771761b9b3+asan.html

Simon, would you mind taking a look? Thanks.
(Assignee)

Comment 9

6 years ago
Please read comments 6 and 7 again. This is expected to go on crashing until attachment 694559 [details] [diff] [review] from bug 819623 gets reviewed and checked in.
tracking-firefox20: ? → +
(Assignee)

Comment 10

6 years ago
Checked in the testcase, since it is reproducable on a standard build, unlike bug 819623.
https://hg.mozilla.org/integration/mozilla-inbound/rev/a1fd60b9fab0
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
QA, please verify that this is fixed since bug 819623 is marked fixed (might want to verify it too).
Flags: needinfo?(mwobensmith)
https://hg.mozilla.org/mozilla-central/rev/a1fd60b9fab0
Flags: in-testsuite+
Target Milestone: --- → mozilla20
(Assignee)

Updated

6 years ago
status-firefox20: affected → fixed
Confirmed crash on central, ASan build 2012-12-26.
Confirmed fixed on central, ASan build 2012-01-10.
Confirmed fixed on central, release build 2012-01-10.
Status: RESOLVED → VERIFIED
status-firefox20: fixed → verified
Flags: needinfo?(mwobensmith)
Keywords: verifyme
status-b2g18: --- → unaffected
status-firefox19: --- → unaffected
status-firefox-esr17: --- → unaffected
Flags: sec-bounty-
Whiteboard: [asan][sg:dupe 819623] → [asan][sg:dupe 819623][adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.