Closed Bug 831668 Opened 12 years ago Closed 12 years ago

Heap-use-after-free in mozilla::dom::SVGTransformBinding::genericGetter

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- unaffected
firefox21 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: inferno, Assigned: dzbarsky)

References

Details

(4 keywords, Whiteboard: Fixed by 831673)

Attachments

(1 file)

Testcase
446 bytes, text/html
Details
Attached file Testcase
Reproduces on trunk. Install the fuzzPriv extension to force gc. >==17884== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f09a8520898 at pc 0x7f09d0ea0fec bp 0x7fff33af9eb0 sp 0x7fff33af9ea8 >READ of size 8 at 0x7f09a8520898 thread T0 > #0 0x7f09d0ea0feb in incr src/../../../../dist/include/nsISupportsImpl.h:132 > #1 0x7f09d0ea0feb in mozilla::dom::SVGMatrix::AddRef() src/content/svg/content/src/SVGMatrix.cpp:36 > #2 0x7f09d22828e8 in mozilla::dom::SVGTransformBinding::genericGetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan/dom/bindings/SVGTransformBinding.cpp:402 > #3 0x7f09d382e67d in native src/js/src/jscntxtinlines.h:378 > #4 0x7f09d382e67d in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391 > #5 0x7f09d382f432 in Invoke src/js/src/jsinterp.h:112 > #6 0x7f09d382f432 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #7 0x7f09d383006b in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512 > #8 0x7f09d389cd5a in js::Shape::get(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:296 > #9 0x7f09d388dd0b in js_NativeGetInline src/js/src/jsobj.cpp:3408 > #10 0x7f09d388dd0b in js_GetPropertyHelperInline src/js/src/jsobj.cpp:3561 > #11 0x7f09d388dd0b in js::GetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>) src/js/src/jsobj.cpp:3570 > #12 0x7f09d3835697 in js::GetPropertyOperation(JSContext*, JSScript*, unsigned char*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/jsinterpinlines.h:290 > #13 0x7f09d3812be6 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2235 > #14 0x7f09d380b3f1 in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348 > #15 0x7f09d3830628 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:537 > #16 0x7f09d3830aff in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:576 > #17 0x7f09d36da630 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5650 > #18 0x7f09d0272d07 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1512 > #19 0x7f09d0304022 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9749 > #20 0x7f09d02eaf67 in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:10002 > #21 0x7f09d03032f8 in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10271 > #22 0x7f09d24a7562 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:565 > #23 0x7f09d23d3fc2 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:238 > #24 0x7f09d1c6a80c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 > #25 0x7f09d252ce18 in RunInternal src/ipc/chromium/src/base/message_loop.cc:215 > #26 0x7f09d252ce18 in RunHandler src/ipc/chromium/src/base/message_loop.cc:208 > #27 0x7f09d252ce18 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182 > #28 0x7f09d195292d in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 > #29 0x7f09ce8e967f in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890 > #30 0x7f09ce8ea641 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093 > #31 0x41afd6 in do_main src/browser/app/nsBrowserApp.cpp:195 > #32 0x41afd6 in main src/browser/app/nsBrowserApp.cpp:388 > #33 0x7f09d94c176c in >0x7f09a8520898 is located 24 bytes inside of 88-byte region [0x7f09a8520880,0x7f09a85208d8) >freed by thread T0 here: > #0 0x40f992 in __interceptor_free > #1 0x7f09d0ea1254 in stabilizeForDeletion src/../../../../dist/include/mozilla/mozalloc.h:224 > #2 0x7f09d0ea1254 in mozilla::dom::SVGMatrix::Release() src/content/svg/content/src/SVGMatrix.cpp:37 >previously allocated by thread T0 here: > #0 0x40fa72 in malloc > #1 0x7f09d6780148 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54 > #2 0x7f09d22828e8 in mozilla::dom::SVGTransformBinding::genericGetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan/dom/bindings/SVGTransformBinding.cpp:402 > #3 0x7f09d382e67d in native src/js/src/jscntxtinlines.h:378 > #4 0x7f09d382e67d in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391 > #5 0x7f09d382f432 in Invoke src/js/src/jsinterp.h:112 > #6 0x7f09d382f432 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #7 0x7f09d383006b in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512 > #8 0x7f09d389cd5a in js::Shape::get(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:296 > #9 0x7f09d388dd0b in js_NativeGetInline src/js/src/jsobj.cpp:3408 > #10 0x7f09d388dd0b in js_GetPropertyHelperInline src/js/src/jsobj.cpp:3561 > #11 0x7f09d388dd0b in js::GetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>) src/js/src/jsobj.cpp:3570 > #12 0x7f09d3835697 in js::GetPropertyOperation(JSContext*, JSScript*, unsigned char*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/jsinterpinlines.h:290 > #13 0x7f09d3812be6 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2235 > #14 0x7f09d380b3f1 in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348 > #15 0x7f09d382e578 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406 > #16 0x7f09d382f432 in Invoke src/js/src/jsinterp.h:112 > #17 0x7f09d382f432 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #18 0x7f09d36ddc77 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5831 > #19 0x7f09d1030039 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432 > #20 0x7f09d101ef2d in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581 > #21 0x7f09d24de8da in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122 > #22 0x7f09d24dd932 in SharedStub > #23 0x7f09cfba40ae in operator class nsIDOMEventListener * src/content/events/src/nsEventListenerManager.cpp:922 > #24 0x7f09cfba40ae in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:989 > #25 0x7f09cfc05c88 in CurrentTarget src/content/events/src/nsEventListenerManager.h:278 > #26 0x7f09cfc05c88 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:181 >Shadow bytes around the buggy address: > 0x1fe1350a40c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1fe1350a40d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x1fe1350a40e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1fe1350a40f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x1fe1350a4100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >=>0x1fe1350a4110: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd > 0x1fe1350a4120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1fe1350a4130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x1fe1350a4140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1fe1350a4150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x1fe1350a4160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap righ redzone: fb > Freed Heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > ASan internal: fe >Stats: 273M malloced (299M for red zones) by 468148 calls >Stats: 49M realloced by 26207 calls >Stats: 245M freed by 335224 calls >Stats: 111M really freed by 239606 calls >Stats: 504M (504M-0M) mmaped; 126 maps, 0 unmaps > mmaps by size class: 8:327660; 9:32764; 10:12285; 11:16376; 12:3072; 13:1536; 14:1280; 15:384; 16:1408; 17:1312; 18:48; 19:40; 20:24; > mallocs by size class: 8:391513; 9:36318; 10:10063; 11:19979; 12:2886; 13:1901; 14:1723; 15:487; 16:1774; 17:1369; 18:71; 19:41; 20:23; > frees by size class: 8:276832; 9:25884; 10:6290; 11:17774; 12:1775; 13:1636; 14:1543; 15:354; 16:1668; 17:1351; 18:59; 19:38; 20:20; > rfrees by size class: 8:209091; 9:11541; 10:2664; 11:12301; 12:824; 13:678; 14:690; 15:201; 16:1146; 17:439; 18:26; 19:4; 20:1; >Stats: malloc large: 1504 small slow: 2785 >Stats: StackDepot: 0 ids; 0M mapped >==17884== ABORTING > > >
Component: General → SVG
Product: Firefox → Core
David, is this down to your changes?
QA Contact: dzbarsky
I think this is a dupe of bug 831673.
Assignee: nobody → dzbarsky
QA Contact: dzbarsky
can i be cced on bug 831673
Bug 831673 looks like an external report, and this bug 831668 < 831673, so that should be dup of this bug.
Duplication just means the bugs are the same. There's no a < b so a wins rule.
Abhishek, can you still reproduce this issue on current nightly?
(In reply to David Zbarsky (:dzbarsky) from comment #6) > Abhishek, can you still reproduce this issue on current nightly? Actually I was trying your patch from 831673 this morning and it did fix all the variants i had.
I guess this is fixed then.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Blocks: 817256
No longer blocks: 831673
status-b2g18: --- → unaffected
status-firefox19: --- → unaffected
status-firefox20: --- → unaffected
status-firefox21: --- → fixed
status-firefox-esr17: --- → unaffected
tracking-firefox21: --- → +
Depends on: 831673
Keywords: regression, sec-critical
Whiteboard: Fixed by 831673
Blocks: 831673
No longer depends on: 831673
No longer blocks: 831673
Depends on: 831673
Flags: sec-bounty?
The committee has decided to split the bounty for this bug with bug 831673 due to how close together the issues were reported.
Flags: sec-bounty? → sec-bounty+
Keywords: csec-uaf
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: