Closed Bug 830132 Opened 11 years ago Closed 11 years ago

Heap-use-after-free in nsINode::ReplaceOrInsertBefore

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21
Tracking Flags:
Tracking Status
firefox20 --- unaffected
firefox21 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: inferno, Assigned: dzbarsky)

References

Details

(5 keywords, Whiteboard: [asan][adv-main21+])

Attachments

(2 files)

Testcase
292 bytes, text/html
Details
Patch
3.33 KB, patch
ehsan.akhgari
: review+
Details | Diff | Splinter Review
Attached file Testcase 
>==14234== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f4baef57b80 at pc 0x7f4bd5875d62 bp 0x7fffcf0f90b0 sp 0x7fffcf0f90a8
>READ of size 8 at 0x7f4baef57b80 thread T0
>    #0 0x7f4bd5875d61 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/content/base/src/nsINode.cpp:1555
>    #1 0x7f4bd57c300d in nsINode::InsertBefore(nsINode&, nsINode*, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1538
>    #2 0x7f4bd57bf4a2 in nsINode::AppendChild(nsINode&, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1542
>    #3 0x7f4bd922ef9e in SplitElementTxn::RedoTransaction() src/editor/libeditor/base/SplitElementTxn.cpp:212
>    #4 0x7f4bd9208cf6 in EditAggregateTxn::RedoTransaction() src/editor/libeditor/base/EditAggregateTxn.cpp:72
>    #5 0x7f4bd91d6345 in PlaceholderTxn::RedoTransaction() src/editor/libeditor/base/PlaceholderTxn.cpp:84
>    #6 0x7f4bdc4ceb29 in nsTransactionItem::RedoTransaction(nsTransactionManager*) src/editor/txmgr/src/nsTransactionItem.cpp:254
>    #7 0x7f4bdc4e4ce9 in nsTransactionManager::RedoTransaction() src/editor/txmgr/src/nsTransactionManager.cpp:187
>    #8 0x7f4bd90d2d0d in nsEditor::Redo(unsigned int) src/editor/libeditor/base/nsEditor.cpp:839
>    #9 0x7f4bd906d4b5 in nsPlaintextEditor::Redo(unsigned int) src/editor/libeditor/text/nsPlaintextEditor.cpp:1121
>    #10 0x7f4bd916d995 in nsRedoCommand::DoCommand(char const*, nsISupports*) src/editor/libeditor/base/nsEditorCommands.cpp:117
>    #11 0x7f4bdc3356b8 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) src/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:158
>    #12 0x7f4bdc305484 in nsBaseCommandController::DoCommand(char const*) src/embedding/components/commandhandler/src/nsBaseCommandController.cpp:137
>    #13 0x7f4bdc31f29c in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) src/embedding/components/commandhandler/src/nsCommandManager.cpp:236
>    #14 0x7f4bd762f463 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, mozilla::ErrorResult&) src/content/html/document/src/nsHTMLDocument.cpp:3404
>    #15 0x7f4bdfeaa163 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/HTMLDocumentBinding.cpp:782
>    #16 0x7f4bdfe9d896 in mozilla::dom::HTMLDocumentBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/HTMLDocumentBinding.cpp:1490
>    #17 0x7f4be8f311ca in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378
>    #18 0x7f4be8f311ca in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
>    #19 0x7f4be8ee1bcb in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2385
>    #20 0x7f4be8e427ab in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
>    #21 0x7f4be8f31b1e in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406
>    #22 0x7f4be87c2ccf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
>    #23 0x7f4be8f36f99 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #24 0x7f4be86b8d42 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5829
>    #25 0x7f4bdb60adc5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
>    #26 0x7f4bdb5aba50 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581
>    #27 0x7f4be152cd6f in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
>    #28 0x7f4be1529a56 in SharedStub
>    #29 0x7f4bd638ab85 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:922
>    #30 0x7f4bd638c397 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:989
>    #31 0x7f4bd657d36a in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.h:278
>    #32 0x7f4bd656c51c in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:181
>    #33 0x7f4bd656a783 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:310
>    #34 0x7f4bd65724b7 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) src/content/events/src/nsEventDispatcher.cpp:678
>    #35 0x7f4bd6574d09 in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/content/events/src/nsEventDispatcher.cpp:738
>    #36 0x7f4bd586e1e5 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/content/base/src/nsINode.cpp:1100
>    #37 0x7f4bd5350eb0 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3511
>    #38 0x7f4bd5350184 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3481
>    #39 0x7f4bd5577a6f in nsDocument::DispatchContentLoadedEvents() src/content/base/src/nsDocument.cpp:4320
>    #40 0x7f4bd567a162 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:367
>    #41 0x7f4be13fd24f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
>    #42 0x7f4be1071bd5 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
>    #43 0x7f4bde68217c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
>    #44 0x7f4be16ef1d2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
>    #45 0x7f4be16ef009 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
>    #46 0x7f4be16eeede in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
>    #47 0x7f4bdda3d7f7 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
>    #48 0x7f4bdc5490e5 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
>    #49 0x7f4bd17af7b4 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
>    #50 0x7f4bd17b539a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
>    #51 0x7f4bd17b8170 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
>    #52 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
>    #53 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388
>    #54 0x7f4bf495f76c in
>0x7f4baef57b80 is located 0 bytes inside of 120-byte region [0x7f4baef57b80,0x7f4baef57bf8)
>freed by thread T0 here:
>    #0 0x40f992 in __interceptor_free
>    #1 0x7f4bf15df409 in moz_free src/memory/mozalloc/mozalloc.cpp:48
>    #2 0x7f4bd5ad73e0 in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224
>    #3 0x7f4bd5ad73e0 in nsTextNode::~nsTextNode() src/content/base/src/nsTextNode.cpp:117
>    #4 0x7f4bd599da07 in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:258
>    #5 0x7f4bd58177e0 in nsGenericDOMDataNode::Release() src/content/base/src/nsGenericDOMDataNode.cpp:117
>    #6 0x7f4bd5ad78da in nsTextNode::Release() src/content/base/src/nsTextNode.cpp:121
>    #7 0x7f4bd177929f in nsCOMPtr_base::~nsCOMPtr_base() src/objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:410
>    #8 0x7f4bd3573a2c in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
>    #9 0x7f4bd35736f9 in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
>    #10 0x7f4bd5c66f8d in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:896
>    #11 0x7f4bd585bcd3 in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) src/content/base/src/nsINode.cpp:459
>    #12 0x7f4bd922eefa in SplitElementTxn::RedoTransaction() src/editor/libeditor/base/SplitElementTxn.cpp:209
>    #13 0x7f4bd9208cf6 in EditAggregateTxn::RedoTransaction() src/editor/libeditor/base/EditAggregateTxn.cpp:72
>    #14 0x7f4bd91d6345 in PlaceholderTxn::RedoTransaction() src/editor/libeditor/base/PlaceholderTxn.cpp:84
>    #15 0x7f4bdc4ceb29 in nsTransactionItem::RedoTransaction(nsTransactionManager*) src/editor/txmgr/src/nsTransactionItem.cpp:254
>    #16 0x7f4bdc4e4ce9 in nsTransactionManager::RedoTransaction() src/editor/txmgr/src/nsTransactionManager.cpp:187
>    #17 0x7f4bd90d2d0d in nsEditor::Redo(unsigned int) src/editor/libeditor/base/nsEditor.cpp:839
>    #18 0x7f4bd906d4b5 in nsPlaintextEditor::Redo(unsigned int) src/editor/libeditor/text/nsPlaintextEditor.cpp:1121
>    #19 0x7f4bd916d995 in nsRedoCommand::DoCommand(char const*, nsISupports*) src/editor/libeditor/base/nsEditorCommands.cpp:117
>    #20 0x7f4bdc3356b8 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) src/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:158
>    #21 0x7f4bdc305484 in nsBaseCommandController::DoCommand(char const*) src/embedding/components/commandhandler/src/nsBaseCommandController.cpp:137
>    #22 0x7f4bdc31f29c in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) src/embedding/components/commandhandler/src/nsCommandManager.cpp:236
>    #23 0x7f4bd762f463 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, mozilla::ErrorResult&) src/content/html/document/src/nsHTMLDocument.cpp:3404
>    #24 0x7f4bdfeaa163 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/HTMLDocumentBinding.cpp:782
>    #25 0x7f4bdfe9d896 in mozilla::dom::HTMLDocumentBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/HTMLDocumentBinding.cpp:1490
>    #26 0x7f4be8f311ca in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378
>    #27 0x7f4be8f311ca in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
>    #28 0x7f4be8ee1bcb in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2385
>    #29 0x7f4be8e427ab in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
>    #30 0x7f4be8f31b1e in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406
>    #31 0x7f4be87c2ccf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
>previously allocated by thread T0 here:
>    #0 0x40fa72 in malloc
>    #1 0x7f4bf15df554 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
>    #2 0x7f4bd5ad6c00 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200
>    #3 0x7f4bd5ad6c00 in NS_NewTextNode(nsIContent**, nsNodeInfoManager*) src/content/base/src/nsTextNode.cpp:106
>    #4 0x7f4bd93ffd2e in nsHtml5TreeOperation::AppendText(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) src/parser/html/nsHtml5TreeOperation.cpp:164
>    #5 0x7f4bd940afb7 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:457
>    #6 0x7f4bd9429116 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:559
>    #7 0x7f4bd946712d in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:127
>    #8 0x7f4be13fd24f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
>    #9 0x7f4be1071bd5 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
>    #10 0x7f4bde68217c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
>    #11 0x7f4be16ef1d2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
>    #12 0x7f4be16ef009 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
>    #13 0x7f4be16eeede in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
>    #14 0x7f4bdda3d7f7 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
>    #15 0x7f4bdc5490e5 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
>    #16 0x7f4bd17af7b4 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
>    #17 0x7f4bd17b539a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
>    #18 0x7f4bd17b8170 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
>    #19 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
>    #20 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388
>    #21 0x7f4bf495f76c in
>Shadow bytes around the buggy address:
>  0x1fe975deaf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe975deaf30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1fe975deaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe975deaf50: 00 00 00 00 01 fb fb fb fb fb fb fb fb fb fb fb
>  0x1fe975deaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>=>0x1fe975deaf70:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1fe975deaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe975deaf90: 00 00 00 00 00 00 00 00 00 00 00 00 fb fb fb fb
>  0x1fe975deafa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe975deafb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1fe975deafc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07
>  Heap left redzone:     fa
>  Heap righ redzone:     fb
>  Freed Heap region:     fd
>  Stack left redzone:    f1
>  Stack mid redzone:     f2
>  Stack right redzone:   f3
>  Stack partial redzone: f4
>  Stack after return:    f5
>  Stack use after scope: f8
>  Global redzone:        f9
>  Global init order:     f6
>  Poisoned by user:      f7
>  ASan internal:         fe
>Stats: 253M malloced (292M for red zones) by 506272 calls
>Stats: 47M realloced by 24309 calls
>Stats: 215M freed by 270331 calls
>Stats: 81M really freed by 188882 calls
>Stats: 472M (472M-0M) mmaped; 118 maps, 0 unmaps
>  mmaps   by size class: 8:294894; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:384; 16:1216; 17:1312; 18:48; 19:40; 20:24;
>  mallocs by size class: 8:439668; 9:32361; 10:8908; 11:16151; 12:2505; 13:1730; 14:1601; 15:402; 16:1451; 17:1362; 18:69; 19:41; 20:23;
>  frees   by size class: 8:221828; 9:22349; 10:5186; 11:13892; 12:1478; 13:1269; 14:1431; 15:277; 16:1163; 17:1343; 18:57; 19:38; 20:20;
>  rfrees  by size class: 8:166826; 9:7742; 10:2132; 11:9241; 12:606; 13:512; 14:448; 15:160; 16:969; 17:215; 18:26; 19:4; 20:1;
>Stats: malloc large: 1495 small slow: 2555
>Stats: StackDepot: 0 ids; 0M mapped
>==14234== ABORTING
>
>
>
A regression from bug 828169. Before that we correctly kept objects alive, now we're
using raw pointers.
I was going to add a question mark... A regression from bug 828169?
Bah, I should have caught this.  All raw DOM pointer usages in that patch are unsafe.  David, can you please take this?
Assignee: nobody → dzbarsky
Attached patch PatchSplinter Review 

        Attachment #701671 -
        Flags: review?(ehsan)
Severity: normal → critical
Flags: in-testsuite?
Keywords: crash, 
          
            testcase
Whiteboard: [asan]

    
    

    
  
Comment on attachment 701671 [details] [diff] [review]
Patch

Review of attachment 701671 [details] [diff] [review]:
-----------------------------------------------------------------

r=me

        Attachment #701671 -
        Flags: review?(ehsan) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/439f89ca8757
Status: NEW → RESOLVED
Closed: 11 years ago

          status-firefox21:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Whiteboard: [asan] → [asan][adv-main21+]
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: