Heap-use-after-free in mozilla::dom::SVGTransformBinding::genericGetter

RESOLVED FIXED

Status

()

RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: inferno, Assigned: dzbarsky)

Tracking

({csectype-uaf, regression, sec-critical})

Trunk
x86_64
Windows 7
csectype-uaf, regression, sec-critical
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox19 unaffected, firefox20 unaffected, firefox21+ fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: Fixed by 831673)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 703205 [details]
Testcase

Reproduces on trunk. Install the fuzzPriv extension to force gc.

>==17884== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f09a8520898 at pc 0x7f09d0ea0fec bp 0x7fff33af9eb0 sp 0x7fff33af9ea8
>READ of size 8 at 0x7f09a8520898 thread T0
>    #0 0x7f09d0ea0feb in incr src/../../../../dist/include/nsISupportsImpl.h:132
>    #1 0x7f09d0ea0feb in mozilla::dom::SVGMatrix::AddRef() src/content/svg/content/src/SVGMatrix.cpp:36
>    #2 0x7f09d22828e8 in mozilla::dom::SVGTransformBinding::genericGetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan/dom/bindings/SVGTransformBinding.cpp:402
>    #3 0x7f09d382e67d in native src/js/src/jscntxtinlines.h:378
>    #4 0x7f09d382e67d in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
>    #5 0x7f09d382f432 in Invoke src/js/src/jsinterp.h:112
>    #6 0x7f09d382f432 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #7 0x7f09d383006b in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512
>    #8 0x7f09d389cd5a in js::Shape::get(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:296
>    #9 0x7f09d388dd0b in js_NativeGetInline src/js/src/jsobj.cpp:3408
>    #10 0x7f09d388dd0b in js_GetPropertyHelperInline src/js/src/jsobj.cpp:3561
>    #11 0x7f09d388dd0b in js::GetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>) src/js/src/jsobj.cpp:3570
>    #12 0x7f09d3835697 in js::GetPropertyOperation(JSContext*, JSScript*, unsigned char*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/jsinterpinlines.h:290
>    #13 0x7f09d3812be6 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2235
>    #14 0x7f09d380b3f1 in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
>    #15 0x7f09d3830628 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:537
>    #16 0x7f09d3830aff in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:576
>    #17 0x7f09d36da630 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5650
>    #18 0x7f09d0272d07 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1512
>    #19 0x7f09d0304022 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9749
>    #20 0x7f09d02eaf67 in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:10002
>    #21 0x7f09d03032f8 in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10271
>    #22 0x7f09d24a7562 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:565
>    #23 0x7f09d23d3fc2 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:238
>    #24 0x7f09d1c6a80c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
>    #25 0x7f09d252ce18 in RunInternal src/ipc/chromium/src/base/message_loop.cc:215
>    #26 0x7f09d252ce18 in RunHandler src/ipc/chromium/src/base/message_loop.cc:208
>    #27 0x7f09d252ce18 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
>    #28 0x7f09d195292d in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
>    #29 0x7f09ce8e967f in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
>    #30 0x7f09ce8ea641 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
>    #31 0x41afd6 in do_main src/browser/app/nsBrowserApp.cpp:195
>    #32 0x41afd6 in main src/browser/app/nsBrowserApp.cpp:388
>    #33 0x7f09d94c176c in
>0x7f09a8520898 is located 24 bytes inside of 88-byte region [0x7f09a8520880,0x7f09a85208d8)
>freed by thread T0 here:
>    #0 0x40f992 in __interceptor_free
>    #1 0x7f09d0ea1254 in stabilizeForDeletion src/../../../../dist/include/mozilla/mozalloc.h:224
>    #2 0x7f09d0ea1254 in mozilla::dom::SVGMatrix::Release() src/content/svg/content/src/SVGMatrix.cpp:37
>previously allocated by thread T0 here:
>    #0 0x40fa72 in malloc
>    #1 0x7f09d6780148 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
>    #2 0x7f09d22828e8 in mozilla::dom::SVGTransformBinding::genericGetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan/dom/bindings/SVGTransformBinding.cpp:402
>    #3 0x7f09d382e67d in native src/js/src/jscntxtinlines.h:378
>    #4 0x7f09d382e67d in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
>    #5 0x7f09d382f432 in Invoke src/js/src/jsinterp.h:112
>    #6 0x7f09d382f432 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #7 0x7f09d383006b in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512
>    #8 0x7f09d389cd5a in js::Shape::get(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:296
>    #9 0x7f09d388dd0b in js_NativeGetInline src/js/src/jsobj.cpp:3408
>    #10 0x7f09d388dd0b in js_GetPropertyHelperInline src/js/src/jsobj.cpp:3561
>    #11 0x7f09d388dd0b in js::GetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>) src/js/src/jsobj.cpp:3570
>    #12 0x7f09d3835697 in js::GetPropertyOperation(JSContext*, JSScript*, unsigned char*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/jsinterpinlines.h:290
>    #13 0x7f09d3812be6 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2235
>    #14 0x7f09d380b3f1 in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
>    #15 0x7f09d382e578 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406
>    #16 0x7f09d382f432 in Invoke src/js/src/jsinterp.h:112
>    #17 0x7f09d382f432 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #18 0x7f09d36ddc77 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5831
>    #19 0x7f09d1030039 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
>    #20 0x7f09d101ef2d in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581
>    #21 0x7f09d24de8da in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
>    #22 0x7f09d24dd932 in SharedStub
>    #23 0x7f09cfba40ae in operator class nsIDOMEventListener * src/content/events/src/nsEventListenerManager.cpp:922
>    #24 0x7f09cfba40ae in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:989
>    #25 0x7f09cfc05c88 in CurrentTarget src/content/events/src/nsEventListenerManager.h:278
>    #26 0x7f09cfc05c88 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:181
>Shadow bytes around the buggy address:
>  0x1fe1350a40c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe1350a40d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1fe1350a40e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe1350a40f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1fe1350a4100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>=>0x1fe1350a4110: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1fe1350a4120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe1350a4130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1fe1350a4140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fe1350a4150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1fe1350a4160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07
>  Heap left redzone:     fa
>  Heap righ redzone:     fb
>  Freed Heap region:     fd
>  Stack left redzone:    f1
>  Stack mid redzone:     f2
>  Stack right redzone:   f3
>  Stack partial redzone: f4
>  Stack after return:    f5
>  Stack use after scope: f8
>  Global redzone:        f9
>  Global init order:     f6
>  Poisoned by user:      f7
>  ASan internal:         fe
>Stats: 273M malloced (299M for red zones) by 468148 calls
>Stats: 49M realloced by 26207 calls
>Stats: 245M freed by 335224 calls
>Stats: 111M really freed by 239606 calls
>Stats: 504M (504M-0M) mmaped; 126 maps, 0 unmaps
>  mmaps   by size class: 8:327660; 9:32764; 10:12285; 11:16376; 12:3072; 13:1536; 14:1280; 15:384; 16:1408; 17:1312; 18:48; 19:40; 20:24;
>  mallocs by size class: 8:391513; 9:36318; 10:10063; 11:19979; 12:2886; 13:1901; 14:1723; 15:487; 16:1774; 17:1369; 18:71; 19:41; 20:23;
>  frees   by size class: 8:276832; 9:25884; 10:6290; 11:17774; 12:1775; 13:1636; 14:1543; 15:354; 16:1668; 17:1351; 18:59; 19:38; 20:20;
>  rfrees  by size class: 8:209091; 9:11541; 10:2664; 11:12301; 12:824; 13:678; 14:690; 15:201; 16:1146; 17:439; 18:26; 19:4; 20:1;
>Stats: malloc large: 1504 small slow: 2785
>Stats: StackDepot: 0 ids; 0M mapped
>==17884== ABORTING
>
>
>
(Reporter)

Updated

6 years ago
Component: General → SVG
Product: Firefox → Core
David, is this down to your changes?
(Assignee)

Updated

6 years ago
QA Contact: dzbarsky
(Assignee)

Comment 2

6 years ago
I think this is a dupe of bug 831673.
Assignee: nobody → dzbarsky
QA Contact: dzbarsky
(Reporter)

Comment 3

6 years ago
can i be cced on bug 831673
(Reporter)

Comment 4

6 years ago
Bug 831673 looks like an external report, and this bug 831668 < 831673, so that should be dup of this bug.
Duplication just means the bugs are the same. There's no a < b so a wins rule.
(Assignee)

Comment 6

6 years ago
Abhishek, can you still reproduce this issue on current nightly?
(Reporter)

Comment 7

6 years ago
(In reply to David Zbarsky (:dzbarsky) from comment #6)
> Abhishek, can you still reproduce this issue on current nightly?

Actually I was trying your patch from 831673 this morning and it did fix all the variants i had.
I guess this is fixed then.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Blocks: 817256
No longer blocks: 831673
status-b2g18: --- → unaffected
status-firefox19: --- → unaffected
status-firefox20: --- → unaffected
status-firefox21: --- → fixed
status-firefox-esr17: --- → unaffected
tracking-firefox21: --- → +
Depends on: 831673
Keywords: regression, sec-critical
Whiteboard: Fixed by 831673
Blocks: 831673
No longer depends on: 831673
No longer blocks: 831673
Depends on: 831673
Flags: sec-bounty?
The committee has decided to split the bounty for this bug with bug 831673 due to how close together the issues were reported.
Flags: sec-bounty? → sec-bounty+
Keywords: csec-uaf
Group: core-security
You need to log in before you can comment on or make changes to this bug.