Closed
Bug 830132
Opened 11 years ago
Closed 11 years ago
Heap-use-after-free in nsINode::ReplaceOrInsertBefore
Categories
(Core :: DOM: Editor, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox20 | --- | unaffected |
firefox21 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: inferno, Assigned: dzbarsky)
References
Details
(5 keywords, Whiteboard: [asan][adv-main21+])
Attachments
(2 files)
292 bytes,
text/html
|
Details | |
3.33 KB,
patch
|
ehsan.akhgari
:
review+
|
Details | Diff | Splinter Review |
>==14234== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f4baef57b80 at pc 0x7f4bd5875d62 bp 0x7fffcf0f90b0 sp 0x7fffcf0f90a8
>READ of size 8 at 0x7f4baef57b80 thread T0
> #0 0x7f4bd5875d61 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/content/base/src/nsINode.cpp:1555
> #1 0x7f4bd57c300d in nsINode::InsertBefore(nsINode&, nsINode*, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1538
> #2 0x7f4bd57bf4a2 in nsINode::AppendChild(nsINode&, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1542
> #3 0x7f4bd922ef9e in SplitElementTxn::RedoTransaction() src/editor/libeditor/base/SplitElementTxn.cpp:212
> #4 0x7f4bd9208cf6 in EditAggregateTxn::RedoTransaction() src/editor/libeditor/base/EditAggregateTxn.cpp:72
> #5 0x7f4bd91d6345 in PlaceholderTxn::RedoTransaction() src/editor/libeditor/base/PlaceholderTxn.cpp:84
> #6 0x7f4bdc4ceb29 in nsTransactionItem::RedoTransaction(nsTransactionManager*) src/editor/txmgr/src/nsTransactionItem.cpp:254
> #7 0x7f4bdc4e4ce9 in nsTransactionManager::RedoTransaction() src/editor/txmgr/src/nsTransactionManager.cpp:187
> #8 0x7f4bd90d2d0d in nsEditor::Redo(unsigned int) src/editor/libeditor/base/nsEditor.cpp:839
> #9 0x7f4bd906d4b5 in nsPlaintextEditor::Redo(unsigned int) src/editor/libeditor/text/nsPlaintextEditor.cpp:1121
> #10 0x7f4bd916d995 in nsRedoCommand::DoCommand(char const*, nsISupports*) src/editor/libeditor/base/nsEditorCommands.cpp:117
> #11 0x7f4bdc3356b8 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) src/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:158
> #12 0x7f4bdc305484 in nsBaseCommandController::DoCommand(char const*) src/embedding/components/commandhandler/src/nsBaseCommandController.cpp:137
> #13 0x7f4bdc31f29c in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) src/embedding/components/commandhandler/src/nsCommandManager.cpp:236
> #14 0x7f4bd762f463 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, mozilla::ErrorResult&) src/content/html/document/src/nsHTMLDocument.cpp:3404
> #15 0x7f4bdfeaa163 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/HTMLDocumentBinding.cpp:782
> #16 0x7f4bdfe9d896 in mozilla::dom::HTMLDocumentBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/HTMLDocumentBinding.cpp:1490
> #17 0x7f4be8f311ca in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378
> #18 0x7f4be8f311ca in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
> #19 0x7f4be8ee1bcb in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2385
> #20 0x7f4be8e427ab in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
> #21 0x7f4be8f31b1e in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406
> #22 0x7f4be87c2ccf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
> #23 0x7f4be8f36f99 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
> #24 0x7f4be86b8d42 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5829
> #25 0x7f4bdb60adc5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
> #26 0x7f4bdb5aba50 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581
> #27 0x7f4be152cd6f in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
> #28 0x7f4be1529a56 in SharedStub
> #29 0x7f4bd638ab85 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:922
> #30 0x7f4bd638c397 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:989
> #31 0x7f4bd657d36a in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.h:278
> #32 0x7f4bd656c51c in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:181
> #33 0x7f4bd656a783 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:310
> #34 0x7f4bd65724b7 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) src/content/events/src/nsEventDispatcher.cpp:678
> #35 0x7f4bd6574d09 in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/content/events/src/nsEventDispatcher.cpp:738
> #36 0x7f4bd586e1e5 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/content/base/src/nsINode.cpp:1100
> #37 0x7f4bd5350eb0 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3511
> #38 0x7f4bd5350184 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3481
> #39 0x7f4bd5577a6f in nsDocument::DispatchContentLoadedEvents() src/content/base/src/nsDocument.cpp:4320
> #40 0x7f4bd567a162 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:367
> #41 0x7f4be13fd24f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #42 0x7f4be1071bd5 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #43 0x7f4bde68217c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
> #44 0x7f4be16ef1d2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
> #45 0x7f4be16ef009 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
> #46 0x7f4be16eeede in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
> #47 0x7f4bdda3d7f7 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
> #48 0x7f4bdc5490e5 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
> #49 0x7f4bd17af7b4 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
> #50 0x7f4bd17b539a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
> #51 0x7f4bd17b8170 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
> #52 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
> #53 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388
> #54 0x7f4bf495f76c in
>0x7f4baef57b80 is located 0 bytes inside of 120-byte region [0x7f4baef57b80,0x7f4baef57bf8)
>freed by thread T0 here:
> #0 0x40f992 in __interceptor_free
> #1 0x7f4bf15df409 in moz_free src/memory/mozalloc/mozalloc.cpp:48
> #2 0x7f4bd5ad73e0 in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224
> #3 0x7f4bd5ad73e0 in nsTextNode::~nsTextNode() src/content/base/src/nsTextNode.cpp:117
> #4 0x7f4bd599da07 in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:258
> #5 0x7f4bd58177e0 in nsGenericDOMDataNode::Release() src/content/base/src/nsGenericDOMDataNode.cpp:117
> #6 0x7f4bd5ad78da in nsTextNode::Release() src/content/base/src/nsTextNode.cpp:121
> #7 0x7f4bd177929f in nsCOMPtr_base::~nsCOMPtr_base() src/objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:410
> #8 0x7f4bd3573a2c in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
> #9 0x7f4bd35736f9 in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
> #10 0x7f4bd5c66f8d in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:896
> #11 0x7f4bd585bcd3 in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) src/content/base/src/nsINode.cpp:459
> #12 0x7f4bd922eefa in SplitElementTxn::RedoTransaction() src/editor/libeditor/base/SplitElementTxn.cpp:209
> #13 0x7f4bd9208cf6 in EditAggregateTxn::RedoTransaction() src/editor/libeditor/base/EditAggregateTxn.cpp:72
> #14 0x7f4bd91d6345 in PlaceholderTxn::RedoTransaction() src/editor/libeditor/base/PlaceholderTxn.cpp:84
> #15 0x7f4bdc4ceb29 in nsTransactionItem::RedoTransaction(nsTransactionManager*) src/editor/txmgr/src/nsTransactionItem.cpp:254
> #16 0x7f4bdc4e4ce9 in nsTransactionManager::RedoTransaction() src/editor/txmgr/src/nsTransactionManager.cpp:187
> #17 0x7f4bd90d2d0d in nsEditor::Redo(unsigned int) src/editor/libeditor/base/nsEditor.cpp:839
> #18 0x7f4bd906d4b5 in nsPlaintextEditor::Redo(unsigned int) src/editor/libeditor/text/nsPlaintextEditor.cpp:1121
> #19 0x7f4bd916d995 in nsRedoCommand::DoCommand(char const*, nsISupports*) src/editor/libeditor/base/nsEditorCommands.cpp:117
> #20 0x7f4bdc3356b8 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) src/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:158
> #21 0x7f4bdc305484 in nsBaseCommandController::DoCommand(char const*) src/embedding/components/commandhandler/src/nsBaseCommandController.cpp:137
> #22 0x7f4bdc31f29c in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) src/embedding/components/commandhandler/src/nsCommandManager.cpp:236
> #23 0x7f4bd762f463 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, mozilla::ErrorResult&) src/content/html/document/src/nsHTMLDocument.cpp:3404
> #24 0x7f4bdfeaa163 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/HTMLDocumentBinding.cpp:782
> #25 0x7f4bdfe9d896 in mozilla::dom::HTMLDocumentBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/HTMLDocumentBinding.cpp:1490
> #26 0x7f4be8f311ca in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378
> #27 0x7f4be8f311ca in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
> #28 0x7f4be8ee1bcb in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2385
> #29 0x7f4be8e427ab in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
> #30 0x7f4be8f31b1e in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406
> #31 0x7f4be87c2ccf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
>previously allocated by thread T0 here:
> #0 0x40fa72 in malloc
> #1 0x7f4bf15df554 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
> #2 0x7f4bd5ad6c00 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200
> #3 0x7f4bd5ad6c00 in NS_NewTextNode(nsIContent**, nsNodeInfoManager*) src/content/base/src/nsTextNode.cpp:106
> #4 0x7f4bd93ffd2e in nsHtml5TreeOperation::AppendText(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) src/parser/html/nsHtml5TreeOperation.cpp:164
> #5 0x7f4bd940afb7 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:457
> #6 0x7f4bd9429116 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:559
> #7 0x7f4bd946712d in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:127
> #8 0x7f4be13fd24f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #9 0x7f4be1071bd5 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #10 0x7f4bde68217c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
> #11 0x7f4be16ef1d2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
> #12 0x7f4be16ef009 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
> #13 0x7f4be16eeede in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
> #14 0x7f4bdda3d7f7 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
> #15 0x7f4bdc5490e5 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
> #16 0x7f4bd17af7b4 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
> #17 0x7f4bd17b539a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
> #18 0x7f4bd17b8170 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
> #19 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
> #20 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388
> #21 0x7f4bf495f76c in
>Shadow bytes around the buggy address:
> 0x1fe975deaf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fe975deaf30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1fe975deaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fe975deaf50: 00 00 00 00 01 fb fb fb fb fb fb fb fb fb fb fb
> 0x1fe975deaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>=>0x1fe975deaf70:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1fe975deaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fe975deaf90: 00 00 00 00 00 00 00 00 00 00 00 00 fb fb fb fb
> 0x1fe975deafa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fe975deafb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1fe975deafc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap righ redzone: fb
> Freed Heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> ASan internal: fe
>Stats: 253M malloced (292M for red zones) by 506272 calls
>Stats: 47M realloced by 24309 calls
>Stats: 215M freed by 270331 calls
>Stats: 81M really freed by 188882 calls
>Stats: 472M (472M-0M) mmaped; 118 maps, 0 unmaps
> mmaps by size class: 8:294894; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:384; 16:1216; 17:1312; 18:48; 19:40; 20:24;
> mallocs by size class: 8:439668; 9:32361; 10:8908; 11:16151; 12:2505; 13:1730; 14:1601; 15:402; 16:1451; 17:1362; 18:69; 19:41; 20:23;
> frees by size class: 8:221828; 9:22349; 10:5186; 11:13892; 12:1478; 13:1269; 14:1431; 15:277; 16:1163; 17:1343; 18:57; 19:38; 20:20;
> rfrees by size class: 8:166826; 9:7742; 10:2132; 11:9241; 12:606; 13:512; 14:448; 15:160; 16:969; 17:215; 18:26; 19:4; 20:1;
>Stats: malloc large: 1495 small slow: 2555
>Stats: StackDepot: 0 ids; 0M mapped
>==14234== ABORTING
>
>
>
Comment 1•11 years ago
|
||
A regression from bug 828169. Before that we correctly kept objects alive, now we're using raw pointers.
Comment 2•11 years ago
|
||
I was going to add a question mark... A regression from bug 828169?
Comment 3•11 years ago
|
||
Bah, I should have caught this. All raw DOM pointer usages in that patch are unsafe. David, can you please take this?
Assignee: nobody → dzbarsky
Updated•11 years ago
|
Keywords: csec-uaf,
sec-critical
Updated•11 years ago
|
Assignee | ||
Comment 4•11 years ago
|
||
Attachment #701671 -
Flags: review?(ehsan)
Updated•11 years ago
|
Comment 5•11 years ago
|
||
Comment on attachment 701671 [details] [diff] [review] Patch Review of attachment 701671 [details] [diff] [review]: ----------------------------------------------------------------- r=me
Attachment #701671 -
Flags: review?(ehsan) → review+
Assignee | ||
Comment 6•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/439f89ca8757
Comment 7•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/439f89ca8757
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Updated•11 years ago
|
Whiteboard: [asan] → [asan][adv-main21+]
Updated•11 years ago
|
Flags: sec-bounty?
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•