Remaining dir=auto issues (1): Heap-use-after-free in mozilla::ResetDir

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: inferno, Assigned: smontagu)

Tracking

(5 keywords)

Trunk
crash, csectype-uaf, reproducible, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox20 disabled, firefox21+ fixed, firefox22+ fixed, firefox23+ fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [asan][adv-main21+])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 734318 [details]
Testcase

==6690== ERROR: AddressSanitizer: heap-use-after-free on address 0x6018002edbec at pc 0x7f9e09ba0318 bp 0x7fff78ae18a0 sp 0x7fff78ae1898
READ of size 4 at 0x6018002edbec thread T0
    #0 0x7f9e09ba0317 in mozilla::ResetDir(mozilla::dom::Element*) ../../../dist/include/nsINode.h:1354
    #1 0x7f9e09d19bc9 in mozilla::dom::Element::UnbindFromTree(bool, bool) content/base/src/Element.cpp:1331
    #2 0x7f9e09fde7cc in nsGenericHTMLElement::UnbindFromTree(bool, bool) content/html/content/src/nsGenericHTMLElement.cpp:655
    #3 0x7f9e09d52119 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) content/base/src/nsINode.cpp:1399
    #4 0x7f9e09e42658 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) content/base/src/FragmentOrElement.cpp:924
    #5 0x7f9e09d4acad in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) content/base/src/nsINode.cpp:462
    #6 0x7f9e0a9b375d in DeleteNodeTxn::DoTransaction() editor/libeditor/base/DeleteNodeTxn.cpp:77
    #7 0x7f9e0b3f28c5 in nsTransactionManager::BeginTransaction(nsITransaction*, nsISupports*) editor/txmgr/src/nsTransactionManager.cpp:782
    #8 0x7f9e0b3f0531 in nsTransactionManager::DoTransaction(nsITransaction*) editor/txmgr/src/nsTransactionManager.cpp:77
    #9 0x7f9e0a96d0d9 in nsEditor::DoTransaction(nsITransaction*) editor/libeditor/base/nsEditor.cpp:695
    #10 0x7f9e0a975767 in nsEditor::DeleteNode(nsINode*) editor/libeditor/base/nsEditor.cpp:1512
    #11 0x7f9e0a97542b in nsEditor::DeleteNode(nsIDOMNode*) editor/libeditor/base/nsEditor.cpp:1496
    #12 0x7f9e0ab3ad86 in nsHTMLEditor::DeleteNode(nsIDOMNode*) editor/libeditor/html/nsHTMLEditor.cpp:3193
    #13 0x7f9e0a978267 in nsEditor::MoveNode(nsIDOMNode*, nsIDOMNode*, int) editor/libeditor/base/nsEditor.cpp:1768
    #14 0x7f9e0aba7b64 in nsHTMLEditRules::ApplyBlockStyle(nsCOMArray<nsIDOMNode>&, nsAString_internal const*) editor/libeditor/html/nsHTMLEditRules.cpp:7391
    #15 0x7f9e0ab851f4 in nsHTMLEditRules::WillMakeBasicBlock(mozilla::Selection*, nsAString_internal const*, bool*, bool*) editor/libeditor/html/nsHTMLEditRules.cpp:3627
    #16 0x7f9e0ab6f3ab in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) editor/libeditor/html/nsHTMLEditRules.cpp:638
    #17 0x7f9e0ab29d52 in nsHTMLEditor::InsertBasicBlock(nsAString_internal const&) editor/libeditor/html/nsHTMLEditor.cpp:2111
    #18 0x7f9e0ab28fa5 in nsHTMLEditor::SetParagraphFormat(nsAString_internal const&) editor/libeditor/html/nsHTMLEditor.cpp:1718
    #19 0x7f9e0b5a2c68 in nsParagraphStateCommand::SetState(nsIEditor*, nsString&) editor/composer/src/nsComposerCommands.cpp:654
    #20 0x7f9e0b5a225c in nsMultiStateCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) editor/composer/src/nsComposerCommands.cpp:599
    #21 0x7f9e0b380777 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) embedding/components/commandhandler/src/nsControllerCommandTable.cpp:175
    #22 0x7f9e0b378334 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) embedding/components/commandhandler/src/nsBaseCommandController.cpp:153
    #23 0x7f9e0b37d738 in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) embedding/components/commandhandler/src/nsCommandManager.cpp:233
    #24 0x7f9e0a3a9dbf in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, mozilla::ErrorResult&) content/html/document/src/nsHTMLDocument.cpp:3483
    #25 0x7f9e0c1273a7 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, unsigned int, JS::Value*) objdir-ff-asan/dom/bindings/HTMLDocumentBinding.cpp:817
    #26 0x7f9e0c124253 in mozilla::dom::HTMLDocumentBinding::genericMethod(JSContext*, unsigned int, JS::Value*) objdir-ff-asan/dom/bindings/HTMLDocumentBinding.cpp:1561
    #27 0x7f9e0daccfb3 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jscntxtinlines.h:338
    #28 0x7f9e0dacdf6f in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/jsinterp.h:135
    #29 0x7f9e0e3e8f89 in js::ion::DoCallFallback(JSContext*, js::ion::BaselineFrame*, js::ion::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/ion/BaselineIC.cpp:6049
    #30 0x7f9df3bb7952 in
0x6018002edbec is located 44 bytes inside of 120-byte region [0x6018002edbc0,0x6018002edc38)
freed by thread T0 here:
    #0 0x4186d2 in __interceptor_free
    #1 0x7f9e09d83f4f in nsNodeUtils::LastRelease(nsINode*) content/base/src/nsNodeUtils.cpp:259
    #2 0x7f9e09d376f5 in nsGenericDOMDataNode::Release() content/base/src/nsGenericDOMDataNode.cpp:116
    #3 0x7f9e095f0094 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) ../../dist/include/nsContentUtils.h:2296
    #4 0x7f9e097bf4e0 in nsFrameSelection::MoveCaret(unsigned int, bool, nsSelectionAmount, bool) layout/generic/nsSelection.cpp:746
    #5 0x7f9e097dd5d1 in mozilla::Selection::Modify(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&) layout/generic/nsSelection.cpp:5359
    #6 0x7f9e0c78985d in NS_InvokeByIndex xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #7 0x7f9e0b112aa3 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/xpconnect/src/XPCWrappedNative.cpp:2953
    #8 0x7f9e0b124740 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1459
    #9 0x7f9e0daccfb3 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jscntxtinlines.h:338
    #10 0x7f9e0dabf618 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode, bool) js/src/jsinterp.cpp:2393
    #11 0x7f9e0daaddad in js::RunScript(JSContext*, js::StackFrame*) js/src/jsinterp.cpp:365
    #12 0x7f9e0dacced2 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:422
    #13 0x7f9e0dacdf6f in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/jsinterp.h:135
    #14 0x7f9e0d98491a in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) js/src/jsapi.cpp:5854
    #15 0x7f9e0b1011e9 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp:1433
    #16 0x7f9e0b0f1afa in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJS.cpp:579
    #17 0x7f9e0c78aa24 in PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
    #18 0x7f9e0c789a96 in SharedStub
    #19 0x7f9e09f24d32 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) content/events/src/nsEventListenerManager.cpp:932
    #20 0x7f9e09f85bee in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) content/events/src/nsEventListenerManager.h:277
previously allocated by thread T0 here:
    #0 0x4187b2 in __interceptor_malloc
    #1 0x7f9e12858418 in moz_xmalloc memory/mozalloc/mozalloc.cpp:54
    #2 0x7f9e094aad76 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) layout/base/nsCSSFrameConstructor.cpp:3798
    #3 0x7f9e094a42e9 in nsCSSFrameConstructor::ConstructSelectFrame(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsIFrame*, nsStyleDisplay const*, nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:2942
    #4 0x7f9e094a7e1c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3531
    #5 0x7f9e094af270 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5481
Shadow bytes around the buggy address:
  0x0c0380055b20: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c0380055b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c0380055b40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0380055b50: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c0380055b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c0380055b70: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
  0x0c0380055b80: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c0380055b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c0380055ba0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0380055bb0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c0380055bc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==6690== ABORTING
ResetDir() is using a deleted text node it got from a dirAutoSetBy property.
Assignee: nobody → smontagu
Blocks: 548206
Severity: normal → critical
Keywords: crash, csec-uaf, reproducible, sec-critical, testcase
OS: Windows 7 → All
Hardware: x86_64 → All
Whiteboard: [asan]
Created attachment 734428 [details] [diff] [review]
fwiw, some debugging

AddEntryToMap: Text@0x7fffc798af40 flags=[0000001e] primaryframe=(nil) refcount=2<High Grade>
###!!! ASSERTION: IsInAnonymousSubtree: 'Error', file content/base/src/DirectionalityUtils.cpp, line 459
bdi@0x7fffc75c1b40 id="test1" dir="&locale.dir;" state=[40000020000] flags=[03200002] primaryframe=0x7fffe02a1f68 refcount=9<
  script@...
  Text@0x7fffc75e5a40 flags=[00000000] primaryframe=0x7fffe08fb688 refcount=2<&gt;>
  select@0x7fffbf54f640 _moz-type="-mozilla-keygen" id="test2" state=[40000011240] flags=[00200401] primaryframe=(nil) refcount=11<
    option@0x7fffc75d1740 state=[40000010060] flags=[00200000] primaryframe=0x7fffe08fb5b0 refcount=4<
      Text@0x7fffc75d1940 flags=[02000002] primaryframe=0x7fffe08fa8f0 refcount=2<High Grade>
    >
    option@0x7fffc75d1a40 state=[40000010040] flags=[00200000] primaryframe=0x7fffe08fa0a0 refcount=4<
      Text@0x7fffc75d1b40 flags=[02000000] primaryframe=0x7fffe08fa220 refcount=2<Medium Grade>
    >
  >
>
status-b2g18: --- → unaffected
status-firefox20: --- → disabled
status-firefox21: --- → affected
status-firefox22: --- → affected
status-firefox23: --- → affected
status-firefox-esr17: --- → unaffected
tracking-firefox21: --- → +
tracking-firefox22: --- → +
tracking-firefox23: --- → +

Comment 3

5 years ago
WFM (using ASan on Mac)
(Assignee)

Comment 4

5 years ago
Fixed by bug 861607
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Depends on: 861607
Resolution: --- → FIXED
(Assignee)

Comment 5

5 years ago
(that is to say, bug 861606 makes this assert instead of crash, and bug 861607 fixes the assert)
Flags: sec-bounty? → sec-bounty+
Marking the status flags in this bug fixed as Bug 861607 was uplifted all the way to Fx21.
status-firefox21: affected → fixed
status-firefox22: affected → fixed
status-firefox23: affected → fixed
Whiteboard: [asan] → [asan][adv-main21+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.