856428 - Heap-buffer-overflow in js::AddValueRoot

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Abhishek Arya]

Attachment: Testcase archive (run test.html)

Install Jesse's fuzzPriv [https://www.squarefree.com/extensions/domFuzzLite3.xpi] and run test.html from archive. Let a couple of reloads happen (change timeout to like 50 in test.html), you will see the crash.

DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
=================================================================
==6007== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600c0014d000 at pc 0x7f9ac69c4da9 bp 0x7fff7b1d64d0 sp 0x7fff7b1d64c8
READ of size 8 at 0x600c0014d000 thread T0
    #0 0x7f9ac69c4da8 in js::AddValueRoot(JSContext*, JS::Value*, char const*) src/js/src/gc/Heap.h:987
    #1 0x7f9ac55fc282 in mozilla::ErrorResult::ThrowJSException(JSContext*, JS::Value) src/dom/bindings/BindingUtils.cpp:134
    #2 0x7f9ac5607e1f in mozilla::dom::CallbackObject::CallSetup::~CallSetup() src/dom/bindings/CallbackObject.cpp:150
    #3 0x7f9ac2d9d764 in nsTraversal::TestNode(nsINode*, mozilla::ErrorResult&) src/../../../dist/include/mozilla/dom/NodeFilterBinding.h:98
    #4 0x7f9ac2da40a8 in mozilla::dom::TreeWalker::FirstChildInternal(bool, mozilla::ErrorResult&) src/content/base/src/TreeWalker.cpp:351
    #5 0x7f9ac543b6b2 in mozilla::dom::TreeWalkerBinding::firstChild(JSContext*, JS::Handle<JSObject*>, mozilla::dom::TreeWalker*, unsigned int, JS::Value*) src/objdir-ff-asan/dom/bindings/TreeWalkerBinding.cpp:216
    #6 0x7f9ac54394ac in mozilla::dom::TreeWalkerBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan/dom/bindings/TreeWalkerBinding.cpp:439
    #7 0x7f9ac6a56783 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jscntxtinlines.h:338
    #8 0x7f9ac6a489d7 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2357
    #9 0x7f9ac6a37480 in js::RunScript(JSContext*, js::StackFrame*) src/js/src/jsinterp.cpp:341
    #10 0x7f9ac6a588fb in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) src/js/src/jsinterp.cpp:529
    #11 0x7f9ac6d6bca7 in EvalKernel(JSContext*, JS::CallArgs const&, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*) src/js/src/builtin/Eval.cpp:303
    #12 0x7f9ac6d6c05b in js::DirectEval(JSContext*, JS::CallArgs const&) src/js/src/builtin/Eval.cpp:422
    #13 0x7f9ac6a47ff4 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2304
    #14 0x7f9ac6a37480 in js::RunScript(JSContext*, js::StackFrame*) src/js/src/jsinterp.cpp:341
    #15 0x7f9ac6a588fb in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) src/js/src/jsinterp.cpp:529
    #16 0x7f9ac6a58d68 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:568
    #17 0x7f9ac690d774 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5621
    #18 0x7f9ac3541e05 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject&, JS::CompileOptions&, bool, JS::Value*) src/dom/base/nsJSEnvironment.cpp:1294
    #19 0x7f9ac2d8aa35 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString const&) src/content/base/src/nsScriptLoader.cpp:851
    #20 0x7f9ac2d8973c in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) src/content/base/src/nsScriptLoader.cpp:741
    #21 0x7f9ac2d88d91 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) src/content/base/src/nsScriptLoader.cpp:581
    #22 0x7f9ac2d81fa3 in nsScriptElement::MaybeProcessScript() src/content/base/src/nsScriptElement.cpp:139
    #23 0x7f9ac3a56eae in nsHtml5TreeOpExecutor::RunScript(nsIContent*) src/../../dist/include/nsIScriptElement.h:220
    #24 0x7f9ac3a54c08 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:593
    #25 0x7f9ac3a5a67c in nsHtml5ExecutorReflusher::Run() src/parser/html/nsHtml5TreeOpExecutor.cpp:61
    #26 0x7f9ac56d37a3 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
    #27 0x7f9ac561ab30 in NS_ProcessNextEvent(nsIThread*, bool) src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:238
    #28 0x7f9ac4bdc77c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #29 0x7f9ac5769a09 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:216
    #30 0x7f9ac48f9fec in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
    #31 0x7f9ac43ef5ba in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
    #32 0x7f9ac1c87afa in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3880
    #33 0x7f9ac1c88920 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3947
    #34 0x7f9ac1c897b9 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4152
    #35 0x425558 in main src/browser/app/nsBrowserApp.cpp:232
    #36 0x7f9aca60d76c in
    #37 0x424864 in
0x600c0014d000 is located 0 bytes to the right of 64-byte region [0x600c0014cfc0,0x600c0014d000)
freed by thread T0 here:
    #0 0x4186d2 in __interceptor_free
    #1 0x7f9ac248a6b0 in nsXBLBinding::Release() src/../../dist/include/mozilla/mozalloc.h:225
previously allocated by thread T0 here:
    #0 0x4187b2 in __interceptor_malloc
    #1 0x7f9acb64d418 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
    #2 0x7f9ac34af7c0 in nsXBLService::GetBinding(nsIContent*, nsIURI*, bool, nsIPrincipal*, bool*, nsXBLBinding**, nsTArray<nsIURI*>&) src/content/xbl/src/nsXBLService.cpp:798
    #3 0x7f9ac34af7c0 in nsXBLService::GetBinding(nsIContent*, nsIURI*, bool, nsIPrincipal*, bool*, nsXBLBinding**, nsTArray<nsIURI*>&) src/content/xbl/src/nsXBLService.cpp:798
    #4 0x7f9ac34adb83 in nsXBLService::GetBinding(nsIContent*, nsIURI*, bool, nsIPrincipal*, bool*, nsXBLBinding**) src/content/xbl/src/nsXBLService.cpp:690
    #5 0x7f9ac34ad0bb in nsXBLService::LoadBindings(nsIContent*, nsIURI*, nsIPrincipal*, nsXBLBinding**, bool*) src/content/xbl/src/nsXBLService.cpp:475
    #6 0x7f9ac244b735 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, bool, nsStyleContext*, unsigned int, nsCSSFrameConstructor::FrameConstructionItemList&) src/layout/base/nsCSSFrameConstructor.cpp:5096
    #7 0x7f9ac24666de in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsIFrame*, nsCSSFrameConstructor::FrameConstructionItemList&) src/layout/base/nsCSSFrameConstructor.cpp:5039
Shadow bytes around the buggy address:
  0x0c02000219b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c02000219c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c02000219d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c02000219e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c02000219f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0200021a00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0200021a10: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c0200021a20: 00 00 00 02 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0200021a30: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0200021a40: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0200021a50: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==6007== ABORTING

Comment 1

[Boris Zbarsky [:bzbarsky]]

This looks likely to be fallout from bug 839088.  Patch coming up; going to see if I can reproduce first.

Comment 2

[Boris Zbarsky [:bzbarsky]]

Unfortunately, can't seem to reproduce locally (in a non-ASAN build)....

Still pretty clear what's going on here, though.

Comment 3

[Boris Zbarsky [:bzbarsky]]

Attachment: Don't try to root an uninitialized value.

Comment 4

[Alex Keybl [:akeybl]]

What's the security rating of this bug?

Comment 5

[Boris Zbarsky [:bzbarsky]]

Bill, what's the security rating on rooting an uninitialized Value and then immediately after setting it to something?

Comment 6

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Well, we're setting a bit in the mark bitmap at a memory location that is sort of controllable. It would be hard to exploit because it's only one bit, and the mark bitmap is always stored within a given range of addresses in each 1MB region. However, I think it's still sec-critical.

Comment 7

[Abhishek Arya]

(In reply to Boris Zbarsky (:bz) from comment #3)
> Created attachment 731903 [details] [diff] [review]
> Don't try to root an uninitialized value.

This patch fixes the crash completely on my ASAN build.

Comment 8

[Boris Zbarsky [:bzbarsky]]

Abhishek, thanks for confirming that!

Comment 9

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 731903 [details] [diff] [review]
Don't try to root an uninitialized value.

I guess I need to do the sec-approval dance...

[Security approval request comment]
How easily could an exploit be constructed based on the patch?  Not easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?  No, depending on your definition of
   "bulls-ey".

Which older supported branches are affected by this flaw?  Aurora 22.

If not all supported branches, which bug introduced the flaw? Bug 839088.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?  This patch applies as-is.

How likely is this patch to cause regressions; how much testing does it need? 
  Very low regression risk.

Comment 10

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 731903 [details] [diff] [review]
Don't try to root an uninitialized value.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 839088
User impact if declined: Probably-exploitable crashes can be produced.
Testing completed (on m-c, etc.): Passes tests.
Risk to taking this patch (and alternatives if risky): Very low risk
String or IDL/UUID changes made by this patch: Nope.

Comment 11

[Daniel Veditz [:dveditz]]

Comment on attachment 731903 [details] [diff] [review]
Don't try to root an uninitialized value.

sec-approval=dveditz

Comment 12

[Boris Zbarsky [:bzbarsky]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/b84b3d484636

Comment 13

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/b84b3d484636

Comment 14

[bhavana bajaj [:bajaj]]

Comment on attachment 731903 [details] [diff] [review]
Don't try to root an uninitialized value.

low risk sec-crit crash regression in FX22. Patch verified by abhishek in ASAN build.Approving on aurora.

Comment 15

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/26d97c025805

Comment 17

[Manuela Muntean [Away]]

I can't reproduce the crash with a Nightly build from 2013-03-31 on a Windows 7 64bit machine, neither when using the initial testcase, nor when changing the timeout to 50, in the "initCF" function.

I get a single error in the Error Console, that keeps on repeating on and on: 

Timestamp: 7/16/2013 7:59:05 AM
Error: The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol.
Source File: file:///C:/Users/svuser/Downloads/jsroot/test.html
Line: 0

Does anyone have any thoughts/suggestions?