Open Bug 865284 Opened 12 years ago Updated 2 years ago

Buffer overflow xul!mozilla::dom::Element::BindToTree

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox89 --- affected
firefox90 --- affected
firefox91 --- affected

People

(Reporter: chromium.khalil, Unassigned)

Details

(5 keywords, Whiteboard: stack-exhaustion)

Attachments

(2 files)

testcase
672 bytes, text/plain
Details
testcase(text/html)
672 bytes, text/html
Details
Attached file testcase
This testcase causes a crash after a few seconds. Here's part of the stack trace (Windbg): 00033028 013a6b60 xul!mozilla::dom::Element::BindToTree+0xcf [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\element.cpp @ 1206] 00033048 013a6984 xul!nsGenericHTMLElement::BindToTree+0x20 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nsgenerichtmlelement.cpp @ 604] 00033084 013a6b60 xul!mozilla::dom::Element::BindToTree+0x264 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\element.cpp @ 1213] 000330a4 013ef25e xul!nsGenericHTMLElement::BindToTree+0x20 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nsgenerichtmlelement.cpp @ 604] 000330c0 014b4b94 xul!nsGenericHTMLFormElement::BindToTree+0x17 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nsgenerichtmlelement.cpp @ 2267] 000330dc 013a6984 xul!nsHTMLSelectElement::BindToTree+0x19 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nshtmlselectelement.cpp @ 1304] 00033118 013a6b60 xul!mozilla::dom::Element::BindToTree+0x264 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\element.cpp @ 1213] 00033138 013a6984 xul!nsGenericHTMLElement::BindToTree+0x20 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nsgenerichtmlelement.cpp @ 604] 00033174 013a6b60 xul!mozilla::dom::Element::BindToTree+0x264 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\element.cpp @ 1213] 00033194 013ef25e xul!nsGenericHTMLElement::BindToTree+0x20 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nsgenerichtmlelement.cpp @ 604] 000331b0 014b4b94 xul!nsGenericHTMLFormElement::BindToTree+0x17 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nsgenerichtmlelement.cpp @ 2267] 000331cc 013a6984 xul!nsHTMLSelectElement::BindToTree+0x19 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nshtmlselectelement.cpp @ 1304] 00033208 013a6b60 xul!mozilla::dom::Element::BindToTree+0x264 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\element.cpp @ 1213] 00033228 013a6984 xul!nsGenericHTMLElement::BindToTree+0x20 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nsgenerichtmlelement.cpp @ 604] 00033264 013a6b60 xul!mozilla::dom::Element::BindToTree+0x264 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\element.cpp @ 1213] 00033284 013ef25e xul!nsGenericHTMLElement::BindToTree+0x20 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nsgenerichtmlelement.cpp @ 604] 000332a0 014b4b94 xul!nsGenericHTMLFormElement::BindToTree+0x17 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nsgenerichtmlelement.cpp @ 2267] 000332bc 013a6984 xul!nsHTMLSelectElement::BindToTree+0x19 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nshtmlselectelement.cpp @ 1304] 000332f8 013a6b60 xul!mozilla::dom::Element::BindToTree+0x264 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\element.cpp @ 1213] 00033318 013a6984 xul!nsGenericHTMLElement::BindToTree+0x20 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\content\src\nsgenerichtmlelement.cpp @ 604]
Keywords: assertion
Attached file testcase(text/html)
Component: XUL → DOM
Attachment #741346 - Attachment mime type: text/plain → text/html
So we're recursively cloning a very deep DOM tree. When the crash happens there are about 10000 frames on the stack. The top several frames are inside jemalloc. The actual crash is at: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00007fff5f3fff58 0x000000010003744d in arena_run_reg_alloc (run=0x1259a8000, bin=0x100400520) at jemalloc.c:3205 3205 bit = ffs((int)mask) - 1; If I try to call any function in the debugger at this point, I get the same signal. So at a guess, this is just us running out of C stack, not a security issue beyond DoS.
Reporter, what makes you think there is a buffer overflow involved?
Flags: needinfo?(chromium.khalil)
Actually me too I wasn't sure if is it a security issue
Flags: needinfo?(chromium.khalil)
Group: core-security
Keywords: crash, csec-dos, testcase
Whiteboard: stack-exhaustion
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-other
Component: DOM → DOM: Core & HTML

This is still reproducible on the latest versions of Firefox Nightly 91.0a1 (2021-06-15), beta 90.0b8 and release 89.0 on Windows 10.
Updating flags.

status-firefox89: --- → affected
status-firefox90: --- → affected
status-firefox91: --- → affected
Severity: critical → S2
Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: