Closed Bug 832644 Opened 7 years ago Closed 7 years ago

Heap-use-after-free in mozilla::ResetDir

Categories

(Core :: Layout, defect, critical)

x86_64
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla21
Tracking Status
firefox19 --- unaffected
firefox20 + fixed
firefox21 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: inferno, Assigned: smontagu)

References

Details

(5 keywords, Whiteboard: [asan][adv-main20-])

Attachments

(3 files)

Attached file Testcase
Reproduces on trunk.

>==27890== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fddcd62ce2c at pc 0x7fddef412ef3 bp 0x7ffffecdddf0 sp 0x7ffffecddde8
>READ of size 4 at 0x7fddcd62ce2c thread T0
>    #0 0x7fddef412ef2 in nsINode::GetBoolFlag(nsINode::BooleanFlag) const src/content/base/public/nsINode.h:1348
>    #1 0x7fddf12cdd9e in nsINode::HasTextNodeDirectionalityMap() const src/../../../dist/include/nsINode.h:1431
>    #2 0x7fddf12cc8d7 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) src/content/base/src/DirectionalityUtils.cpp:506
>    #3 0x7fddf12d3f6f in mozilla::ResetDir(mozilla::dom::Element*) src/content/base/src/DirectionalityUtils.cpp:918
>    #4 0x7fddf18eaa27 in mozilla::dom::Element::UnbindFromTree(bool, bool) src/content/base/src/Element.cpp:1362
>    #5 0x7fddf28800bc in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:656
>    #6 0x7fddf18ead55 in mozilla::dom::Element::UnbindFromTree(bool, bool) src/content/base/src/Element.cpp:1375
>    #7 0x7fddf28800bc in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:656
>    #8 0x7fddf19c3583 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) src/content/base/src/nsINode.cpp:1387
>    #9 0x7fddf1db63a3 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:894
>    #10 0x7fddf19c5215 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/content/base/src/nsINode.cpp:1659
>    #11 0x7fddf19112fd in nsINode::InsertBefore(nsINode&, nsINode*, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1538
>    #12 0x7fddfc55cfc4 in mozilla::dom::NodeBinding::insertBefore(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:508
>    #13 0x7fddfc4f5936 in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:1390
>    #14 0x7fde0528f9ba in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378
>    #15 0x7fde0528f9ba in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
>    #16 0x7fde052402ce in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2385
>    #17 0x7fde051a0d8b in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
>    #18 0x7fde0529d205 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:537
>    #19 0x7fde0529eda5 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:576
>    #20 0x7fde04a08bae in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5650
>    #21 0x7fddf3fdf939 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject&, JS::CompileOptions&, bool, JS::Value*) src/dom/base/nsJSEnvironment.cpp:1275
>    #22 0x7fddf41b1767 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9755
>    #23 0x7fddf4165e9f in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:10007
>    #24 0x7fddf41af7d9 in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10276
>    #25 0x7fddfd788bfb in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:482
>    #26 0x7fddfd78a084 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:565
>    #27 0x7fddfd74c4cf in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
>    #28 0x7fddfd3c0e55 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
>    #29 0x7fddfa7d188c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
>    #30 0x7fddfda438e2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
>    #31 0x7fddfda43719 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
>    #32 0x7fddfda435ee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
>    #33 0x7fddf9b8ba77 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
>    #34 0x7fddf8697425 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
>    #35 0x7fdded8ffa04 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
>    #36 0x7fdded9055ea in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
>    #37 0x7fdded9083c0 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
>    #38 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
>    #39 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388
>    #40 0x7fde1052976c in
>0x7fddcd62ce2c is located 44 bytes inside of 120-byte region [0x7fddcd62ce00,0x7fddcd62ce78)
>freed by thread T0 here:
>    #0 0x40f992 in __interceptor_free
>    #1 0x7fde0d9a9409 in moz_free src/memory/mozalloc/mozalloc.cpp:48
>    #2 0x7fddf1c26800 in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224
>    #3 0x7fddf1c26800 in nsTextNode::~nsTextNode() src/content/base/src/nsTextNode.cpp:117
>    #4 0x7fddf1aebcf7 in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:258
>    #5 0x7fddf1965ad0 in nsGenericDOMDataNode::Release() src/content/base/src/nsGenericDOMDataNode.cpp:115
>    #6 0x7fddf1c26cfa in nsTextNode::Release() src/content/base/src/nsTextNode.cpp:121
>    #7 0x7fdded8c94ef in nsCOMPtr_base::~nsCOMPtr_base() src/objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:410
>    #8 0x7fddef6c7b3c in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
>    #9 0x7fddef6c7809 in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
>    #10 0x7fddf1db63ad in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:896
>    #11 0x7fddf2b5562c in nsHTMLFieldSetElement::RemoveChildAt(unsigned int, bool) src/content/html/content/src/nsHTMLFieldSetElement.cpp:218
>    #12 0x7fddf190bfc1 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) src/content/base/src/Element.cpp:3376
>    #13 0x7fddfbd89774 in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:1689
>    #14 0x7fddfbd721c8 in mozilla::dom::ElementBinding::genericSetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:2031
>    #15 0x7fde0528f9ba in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378
>    #16 0x7fde0528f9ba in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
>    #17 0x7fde04b2134f in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
>    #18 0x7fde05295789 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #19 0x7fde0529bc05 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512
>    #20 0x7fde0553e1b8 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:314
>    #21 0x7fde05579134 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>, int) src/js/src/jsobj.cpp:3841
>    #22 0x7fde052d0268 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/jsinterpinlines.h:367
>    #23 0x7fde0523017d in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2278
>    #24 0x7fde051a0d8b in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
>    #25 0x7fde0529030e in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406
>    #26 0x7fde04b2134f in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
>    #27 0x7fde05295789 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #28 0x7fde04a15b62 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5831
>    #29 0x7fddf7757815 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
>    #30 0x7fddf76f84a0 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:579
>    #31 0x7fddfd88147f in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
>previously allocated by thread T0 here:
>    #0 0x40fa72 in malloc
>    #1 0x7fde0d9a9554 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
>    #2 0x7fddf1c26020 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200
>    #3 0x7fddf1c26020 in NS_NewTextNode(nsIContent**, nsNodeInfoManager*) src/content/base/src/nsTextNode.cpp:106
>    #4 0x7fddf554e08e in nsHtml5TreeOperation::AppendText(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) src/parser/html/nsHtml5TreeOperation.cpp:164
>    #5 0x7fddf5559317 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:457
>    #6 0x7fddf5577476 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:559
>    #7 0x7fddf55b548d in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:125
>    #8 0x7fddfd74c4cf in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
>    #9 0x7fddfd3c0e55 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
>    #10 0x7fddfa7d188c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
>    #11 0x7fddfda438e2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
>    #12 0x7fddfda43719 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
>    #13 0x7fddfda435ee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
>    #14 0x7fddf9b8ba77 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
>    #15 0x7fddf8697425 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
>    #16 0x7fdded8ffa04 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
>    #17 0x7fdded9055ea in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
>    #18 0x7fdded9083c0 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
>    #19 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
>    #20 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388
>    #21 0x7fde1052976c in
>Shadow bytes around the buggy address:
>  0x1ffbb9ac5970: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  0x1ffbb9ac5980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1ffbb9ac5990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1ffbb9ac59a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1ffbb9ac59b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>=>0x1ffbb9ac59c0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
>  0x1ffbb9ac59d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1ffbb9ac59e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1ffbb9ac59f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1ffbb9ac5a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1ffbb9ac5a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07
>  Heap left redzone:     fa
>  Heap righ redzone:     fb
>  Freed Heap region:     fd
>  Stack left redzone:    f1
>  Stack mid redzone:     f2
>  Stack right redzone:   f3
>  Stack partial redzone: f4
>  Stack after return:    f5
>  Stack use after scope: f8
>  Global redzone:        f9
>  Global init order:     f6
>  Poisoned by user:      f7
>  ASan internal:         fe
>Stats: 252M malloced (543M for red zones) by 407601 calls
>Stats: 47M realloced by 24387 calls
>Stats: 217M freed by 275291 calls
>Stats: 106M really freed by 200508 calls
>Stats: 616M (616M-0M) mmaped; 154 maps, 0 unmaps
>  mmaps   by size class: 10:253890; 11:12282; 12:3072; 13:1536; 14:1280; 15:384; 16:1152; 17:1280; 18:48; 19:40; 20:24;
>  mallocs by size class: 10:378224; 11:19749; 12:2786; 13:1828; 14:1597; 15:423; 16:1496; 17:1366; 18:69; 19:40; 20:23;
>  frees   by size class: 10:251314; 11:16722; 12:1506; 13:1361; 14:1426; 15:298; 16:1201; 17:1348; 18:57; 19:38; 20:20;
>  rfrees  by size class: 10:185907; 11:10750; 12:772; 13:654; 14:682; 15:188; 16:1014; 17:510; 18:26; 19:4; 20:1;
>Stats: malloc large: 1498 small slow: 4544
>Stats: StackDepot: 0 ids; 0M mapped
>==27890== ABORTING
>
>
>
Guessing "csec-uaf, sec-critical" based on bug 819623 with similar stack.
Blocks: DirAuto
Severity: normal → critical
Whiteboard: [asan]
Attached patch PatchSplinter Review
This is a rather subtle bug: when testing for bdi to give it default auto-direction we should have excluded bdi with explicit dir=auto.
Attachment #706868 - Flags: review?(ehsan)
Attachment #706868 - Flags: review?(ehsan) → review+
https://hg.mozilla.org/mozilla-central/rev/775f4a00acee
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Comment on attachment 706868 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 548206 (or one of its followups)
User impact if declined: critical security vulnerability
Testing completed (on m-c, etc.): Baked on m-c since 2013-01-28
Risk to taking this patch (and alternatives if risky): Minimal
String or UUID changes made by this patch: None
Attachment #706868 - Flags: approval-mozilla-aurora?
Attachment #706868 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [asan] → [asan][adv-main20+]
Whiteboard: [asan][adv-main20+] → [asan][adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.