Closed Bug 868300 Opened 12 years ago Closed 12 years ago

[FIX] Heap-use-after-free in mozilla::dom::ValidityStateBinding::get_valueMissing

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla24
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 + verified
firefox23 + verified
firefox24 + verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: inferno, Assigned: smaug)

Details

(4 keywords, Whiteboard: [adv-main22-])

Attachments

(3 files)

Testcase
559 bytes, text/html
Details
patch
2.70 KB, patch
mounir
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
abillings
: sec-approval+
Details | Diff | Splinter Review
a test
707 bytes, text/html
Details
Attached file Testcase —
Need to install fuzzPriv extension ==21059== ERROR: AddressSanitizer: heap-use-after-free on address 0x603c00256e38 at pc 0x7f99226c67d6 bp 0x7fff09764f50 sp 0x7fff09764f48 READ of size 1 at 0x603c00256e38 thread T0 #0 0x7f99226c67d5 in nsIConstraintValidation::GetValidityState(nsIConstraintValidation::ValidityStateType) const ../../dist/include/nsIConstraintValidation.h:84 #1 0x7f9922f3d26d in mozilla::dom::ValidityState::GetValidityState(nsIConstraintValidation::ValidityStateType) const ../../dist/include/mozilla/dom/ValidityState.h:93 #2 0x7f9922f3aa23 in mozilla::dom::ValidityState::ValueMissing() const ../../dist/include/mozilla/dom/ValidityState.h:39 #3 0x7f992beb783e in mozilla::dom::ValidityStateBinding::get_valueMissing(JSContext*, JS::Handle<JSObject*>, mozilla::dom::ValidityState*, JS::Value*) objdir-ff-asan-sym/dom/bindings/ValidityStateBinding.cpp:27 #4 0x7f992beb45e0 in mozilla::dom::ValidityStateBinding::genericGetter(JSContext*, unsigned int, JS::Value*) objdir-ff-asan-sym/dom/bindings/ValidityStateBinding.cpp:230 #5 0x7f993469f24f in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:337 #6 0x7f993469f24f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:428 #7 0x7f99340c9756 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) js/src/jsinterp.h:134 #8 0x7f99346a3350 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/jsinterp.cpp:475 #9 0x7f99346a7c9c in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/jsinterp.cpp:546 #10 0x7f9934912176 in js::Shape::get(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, JS::MutableHandle<JS::Value>) js/src/vm/Shape-inl.h:300 #11 0x7f99348bb02a in _ZL15NativeGetInlineILN2js7AllowGCE1EEiP9JSContextNS0_11MaybeRootedIP8JSObjectXT_EE10HandleTypeES8_S8_NS4_IPNS0_5ShapeEXT_EE10HandleTypeEjNS4_IN2JS5ValueEXT_EE17MutableHandleTypeE js/src/jsobj.cpp:3767 #12 0x7f99348bb02a in _ZL23GetPropertyHelperInlineILN2js7AllowGCE1EEiP9JSContextNS0_11MaybeRootedIP8JSObjectXT_EE10HandleTypeES8_NS4_IlXT_EE10HandleTypeEjNS4_IN2JS5ValueEXT_EE17MutableHandleTypeE js/src/jsobj.cpp:3941 #13 0x7f99348bb02a in js::GetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>) js/src/jsobj.cpp:3950 #14 0x7f99346c7be4 in js::GetPropertyOperation(JSContext*, JSScript*, unsigned char*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/jsinterpinlines.h:294 #15 0x7f993466b4b7 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode, bool) js/src/jsinterp.cpp:2254 #16 0x7f993462843d in js::RunScript(JSContext*, js::StackFrame*) js/src/jsinterp.cpp:385 #17 0x7f99346a8cdb in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) js/src/jsinterp.cpp:573 #18 0x7f99346aa871 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/jsinterp.cpp:612 #19 0x7f9933fc9354 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) js/src/jsapi.cpp:5646 #20 0x7f9923b8ec13 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject&, JS::CompileOptions&, bool, JS::Value*) dom/base/nsJSEnvironment.cpp:1306 #21 0x7f9923d5a1cc in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) dom/base/nsGlobalWindow.cpp:10185 #22 0x7f9923d0ea52 in nsGlobalWindow::RunTimeout(nsTimeout*) dom/base/nsGlobalWindow.cpp:10433 #23 0x7f9923d58011 in nsGlobalWindow::TimerCallback(nsITimer*, void*) dom/base/nsGlobalWindow.cpp:10702 #24 0x7f992cafe9a2 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:547 #25 0x7f992caffdfd in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:634 #26 0x7f992cac5aa7 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:627 #27 0x7f992c764c12 in NS_ProcessNextEvent(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238 #28 0x7f992719365b in nsXULWindow::ShowModal() xpfe/appshell/src/nsXULWindow.cpp:362 #29 0x7f9927172a47 in nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:522 #30 0x7f9927172bf8 in non-virtual thunk to nsContentTreeOwner::ShowAsModal() xpfe/appshell/src/nsContentTreeOwner.cpp:523 #31 0x7f9926f8fbc0 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:1007 #32 0x7f9926f83484 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) embedding/components/windowwatcher/src/nsWindowWatcher.cpp:343 #33 0x7f992cbe69db in NS_InvokeByIndex xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162 #34 0x7f99266d231f in CallMethodHelper::Invoke() js/xpconnect/src/XPCWrappedNative.cpp:2945 #35 0x7f99266d231f in CallMethodHelper::Call() js/xpconnect/src/XPCWrappedNative.cpp:2280 #36 0x7f99266d231f in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/xpconnect/src/XPCWrappedNative.cpp:2246 #37 0x7f992672bd11 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1485 #38 0x7f993469f24f in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:337 #39 0x7f993469f24f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:428 #40 0x7f9934678abc in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode, bool) js/src/jsinterp.cpp:2404 #41 0x7f993462843d in js::RunScript(JSContext*, js::StackFrame*) js/src/jsinterp.cpp:385 #42 0x7f993469f8f8 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:442 #43 0x7f99340c9756 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) js/src/jsinterp.h:134 #44 0x7f99346a3350 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/jsinterp.cpp:475 #45 0x7f9933fd31f0 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) js/src/jsapi.cpp:5842 #46 0x7f99266900f9 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp:1435 #47 0x7f9926643aec in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJS.cpp:578 #48 0x7f992cbec084 in PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122 #49 0x7f992cbe913a in SharedStub 0x603c00256e38 is located 184 bytes inside of 368-byte region [0x603c00256d80,0x603c00256ef0) freed by thread T0 here: #0 0x4186d2 in __interceptor_free #1 0x7f993f38877e in moz_free memory/mozalloc/mozalloc.cpp:48 #2 0x7f9922e59879 in operator delete(void*) ../../../../dist/include/mozilla/mozalloc.h:225 #3 0x7f9922e59879 in mozilla::dom::HTMLTextAreaElement::~HTMLTextAreaElement() ../../../../dist/include/mozilla/dom/HTMLTextAreaElement.h:32 #4 0x7f99214a46e5 in nsNodeUtils::LastRelease(nsINode*) content/base/src/nsNodeUtils.cpp:258 #5 0x7f99217509ca in mozilla::dom::FragmentOrElement::Release() content/base/src/FragmentOrElement.cpp:1713 #6 0x7f9922e33e75 in mozilla::dom::HTMLTextAreaElement::Release() content/html/content/src/HTMLTextAreaElement.cpp:93 #7 0x7f992c767bb0 in nsXPCOMCycleCollectionParticipant::UnrootImpl(void*) objdir-ff-asan-sym/xpcom/build/nsCycleCollectionParticipant.cpp:37 #8 0x7f992cb7696f in nsCycleCollector::CollectWhite(nsICycleCollectorListener*) xpcom/base/nsCycleCollector.cpp:2388 #9 0x7f992cb66e53 in nsCycleCollector::FinishCollection(nsICycleCollectorListener*) xpcom/base/nsCycleCollector.cpp:2819 #10 0x7f992cb656da in nsCycleCollectorRunner::Collect(bool, nsCycleCollectorResults*, nsICycleCollectorListener*) xpcom/base/nsCycleCollector.cpp:1172 #11 0x7f992cb7c6f3 in nsCycleCollector::Collect(bool, nsCycleCollectorResults*, nsICycleCollectorListener*) xpcom/base/nsCycleCollector.cpp:2755 #12 0x7f992cb817e7 in nsCycleCollector_collect(bool, nsCycleCollectorResults*, nsICycleCollectorListener*) xpcom/base/nsCycleCollector.cpp:3049 #13 0x7f9923b7a615 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int, bool) dom/base/nsJSEnvironment.cpp:2687 #14 0x7f9923b77ec1 in nsJSEnvironmentObserver::Observe(nsISupports*, char const*, unsigned short const*) dom/base/nsJSEnvironment.cpp:252 #15 0x7f992c86aae2 in nsObserverList::NotifyObservers(nsISupports*, char const*, unsigned short const*) xpcom/ds/nsObserverList.cpp:99 #16 0x7f992c878986 in nsObserverService::NotifyObservers(nsISupports*, char const*, unsigned short const*) xpcom/ds/nsObserverService.cpp:161 #17 0x7f992cbe69db in NS_InvokeByIndex xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162 #18 0x7f99266d231f in CallMethodHelper::Invoke() js/xpconnect/src/XPCWrappedNative.cpp:2945 #19 0x7f99266d231f in CallMethodHelper::Call() js/xpconnect/src/XPCWrappedNative.cpp:2280 #20 0x7f99266d231f in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/xpconnect/src/XPCWrappedNative.cpp:2246 #21 0x7f992672bd11 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1485 #22 0x7f993469f24f in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:337 #23 0x7f993469f24f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:428 #24 0x7f9934678abc in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode, bool) js/src/jsinterp.cpp:2404 #25 0x7f993462843d in js::RunScript(JSContext*, js::StackFrame*) js/src/jsinterp.cpp:385 #26 0x7f993469f8f8 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:442 #27 0x7f99340c9756 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) js/src/jsinterp.h:134 #28 0x7f99343f6e5e in js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp:1148 #29 0x7f993469f24f in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:337 #30 0x7f993469f24f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:428 #31 0x7f99340c9756 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) js/src/jsinterp.h:134 #32 0x7f99346a3350 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/jsinterp.cpp:475 #33 0x7f99349d60dd in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) js/src/jsproxy.cpp:481 #34 0x7f99350187e2 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) js/src/jswrapper.cpp:445 previously allocated by thread T0 here: #0 0x4187b2 in __interceptor_malloc #1 0x7f993f3888c5 in moz_xmalloc memory/mozalloc/mozalloc.cpp:54 #2 0x7f9922e31b73 in operator new(unsigned long) ../../../../dist/include/mozilla/mozalloc.h:201 #3 0x7f9922e31b73 in nsGenericHTMLElement* mozilla::dom::NewHTMLElementHelper::Create<nsHTMLTextAreaElement, mozilla::dom::HTMLTextAreaElement>(already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser, mozilla::dom::NewHTMLElementHelper::SFINAE<bool (*)(nsIDocument*), mozilla::dom::HTMLTextAreaElement::InNavQuirksMode>*) content/html/content/src/nsGenericHTMLElement.h:1864 #4 0x7f9922e318f2 in NS_NewHTMLTextAreaElement(already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/html/content/src/HTMLTextAreaElement.cpp:47 #5 0x7f9922f92cfe in CreateHTMLElement(unsigned int, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/html/document/src/nsHTMLContentSink.cpp:498 #6 0x7f9922f93525 in NS_NewHTMLElement(nsIContent**, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/html/document/src/nsHTMLContentSink.cpp:481 #7 0x7f9921472a5a in NS_NewElement(nsIContent**, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) content/base/src/nsNameSpaceManager.cpp:192 #8 0x7f99211038d6 in nsIDocument::CreateElementNS(nsAString_internal const&, nsAString_internal const&, mozilla::ErrorResult&) content/base/src/nsDocument.cpp:4775 #9 0x7f992a6ce904 in mozilla::dom::DocumentBinding::createElementNS(JSContext*, JS::Handle<JSObject*>, nsIDocument*, unsigned int, JS::Value*) objdir-ff-asan-sym/dom/bindings/DocumentBinding.cpp:524 #10 0x7f992a6290fa in mozilla::dom::DocumentBinding::genericMethod(JSContext*, unsigned int, JS::Value*) objdir-ff-asan-sym/dom/bindings/DocumentBinding.cpp:7355 #11 0x7f993469f24f in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:337 #12 0x7f993469f24f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:428 #13 0x7f9934678abc in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode, bool) js/src/jsinterp.cpp:2404 #14 0x7f993462843d in js::RunScript(JSContext*, js::StackFrame*) js/src/jsinterp.cpp:385 #15 0x7f993469f8f8 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:442 #16 0x7f99340c9756 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) js/src/jsinterp.h:134 #17 0x7f99346a3350 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/jsinterp.cpp:475 #18 0x7f9933fd31f0 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) js/src/jsapi.cpp:5842 #19 0x7f99266900f9 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp:1435 #20 0x7f9926643aec in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJS.cpp:578 #21 0x7f992cbec084 in PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122 #22 0x7f992cbe913a in SharedStub #23 0x7f9921dd0a0c in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) content/events/src/nsEventListenerManager.cpp:922 #24 0x7f9921dd309f in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) content/events/src/nsEventListenerManager.cpp:993 #25 0x7f9921fd95ab in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) content/events/src/nsEventListenerManager.h:326 #26 0x7f9921fc93f7 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) content/events/src/nsEventDispatcher.cpp:200 #27 0x7f9921fc6dbc in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) content/events/src/nsEventDispatcher.cpp:325 #28 0x7f9921fce9eb in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) content/events/src/nsEventDispatcher.cpp:631 #29 0x7f9921fd0f9d in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) content/events/src/nsEventDispatcher.cpp:691 #30 0x7f99213e68c4 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) content/base/src/nsINode.cpp:1135 #31 0x7f9920eeac2b in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) content/base/src/nsContentUtils.cpp:3580 Shadow bytes around the buggy address: 0x0c0800042d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0800042d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0800042d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0800042da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0800042db0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c0800042dc0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd 0x0c0800042dd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c0800042de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0800042df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0800042e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0800042e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==21059== ABORTING
So I tried your testcase with a few form controls and it seems to be reproducible easily with a Nighly ASAN build. The only reason I see for this to happen is that the nsIConstraintValidation ctor isn't called or it is called but mValidity is incorrectly null. It seems that a nsIConstraintValidation is called but given that the Nighly ASAN build is optimized, I wasn't able to see if it was the expected one and if mValidity is null or not. Setup-ing a local ASAN build seems a bit of o burden so I would appreciate if someone could investigate a bit more. Also, I wonder if that is a regression or not (there were a bunch of changes in that code related to the move to webidl).
Group: dom-core-security
Component: General → DOM: Core & HTML
Product: Firefox → Core
So the basic structure of the testcase is: 1) Grab a ValidityState object off a textarea. 2) GC the textarea. 3) Try to get .valueMissing off the object from step 1. This ends up doing: 92 return mConstraintValidation && 93 mConstraintValidation->GetValidityState(aState); and ValidityState has: 96 // Weak reference to owner which will call Disconnect() when being destroyed. 97 nsIConstraintValidation* mConstraintValidation; (always a bad sign). Now mValidity is a member on nsIConstraintValidation and ~nsIConstraintValidation does call Disconnect() if mValidity. But mValidity is also cycle-collected by the form controls, so gets nulled out in unlink _without_ the Disconnect call. That applies to HTMLButtonElement, HTMInputElement, HTMLFieldSetElement, HTMLObjectElement, HTMLOutputElement, HTMLSelectElement, and of course HTMLTextAreaElement. We need to either make this a strong ref and CC ValidityState or make sure to call Disconnect during unlink (and perhaps hoist the traversing/unlinking of mValidity up to helpers on nsIConstraintValidation so it only needs to happen in one spot). Mounir, preferences?
Flags: needinfo?(mounir)
Oh, and seems like the testcase should be able to be simplified to something like this: var obj = (function() { return document.createElement("textarea").validity; })(); cc(); obj.valueMissing; at least in theory...
bz - looks like you might be doing the work here? Mounir can you provide the necessary feedback to unblock this bug? Now that we've merge 23 to Aurora tracked bugs need to have assignees and if this is going to be considered for beta uplift we'll want a risk assessment of the potential fix sooner rather than later.
Assignee: nobody → bzbarsky
Sorry for not replying earlier. I use a dashboard for requests and it does not show security bugs :( (In reply to Boris Zbarsky (:bz) from comment #2) > We need to either make this a strong ref and CC ValidityState or make sure > to call Disconnect during unlink (and perhaps hoist the traversing/unlinking > of mValidity up to helpers on nsIConstraintValidation so it only needs to > happen in one spot). > > Mounir, preferences? I think I used a weak ref to prevent creating a cycle. I guess we could continue with that vision but if you think it's not worth it, having a strong ref is fine.
Flags: needinfo?(mounir)
Assignee: bzbarsky → bugs
qawanted for status-firefox22
Keywords: qawanted
QA Contact: mwobensmith
Attached patch patch — — Splinter Review
Attachment #750010 - Flags: review?(mounir)
I don't see a crash in FF22, debug or debug ASan. I also tried FF23, no crash. So I can't get it to crash at all, and therefore can't confirm whether or not that it happens on FF22. Abhishek, can you try on a FF22 branch? And can you try on both ASan and non-ASan builds, if possible? Thank you.
Based on code inspection there is a bug, but I haven't managed to reproduce the crash.
(In reply to Matt Wobensmith from comment #8) > I don't see a crash in FF22, debug or debug ASan. > > I also tried FF23, no crash. > > So I can't get it to crash at all, and therefore can't confirm whether or > not that it happens on FF22. > > Abhishek, can you try on a FF22 branch? And can you try on both ASan and > non-ASan builds, if possible? Thank you. I just tried it on trunk build FF24 with release ASAN. It reproduces instantly. Did you install fuzzPriv extension that is needed to force gc [download from https://www.squarefree.com/extensions/domFuzzLite3.xpi]
Attachment #750010 - Flags: review?(mounir) → review+
Attached file a test —
This shows how the valid state changes somewhat randomly because we read random data.
Comment on attachment 750010 [details] [diff] [review] patch [Security approval request comment] How easily could an exploit be constructed based on the patch? It is easy to see what the problem is, but I'm not sure how easy it is to construct an exploit based on that. The problem is to read from deleted object. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Commit message will be about simplifying lifetime management by using cycle collector Which older supported branches are affected by this flaw? Not esr17 If not all supported branches, which bug introduced the flaw? Bug 827158 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Looks like the patch applies to beta and aurora too, with some fuzz How likely is this patch to cause regressions; how much testing does it need? Should be safe.
Attachment #750010 - Flags: sec-approval?
Attachment #750010 - Flags: approval-mozilla-beta?
Attachment #750010 - Flags: approval-mozilla-aurora?
Status: NEW → ASSIGNED
Summary: Heap-use-after-free in mozilla::dom::ValidityStateBinding::get_valueMissing → [FIX] Heap-use-after-free in mozilla::dom::ValidityStateBinding::get_valueMissing
Abhishek, apologies, but in comment 8, I was asking for a repro in FF22, not FF24. I'll give it a try in FF24 myself in the meantime. :)
(In reply to Mounir Lamouri (:mounir) from comment #1) > Setup-ing a local ASAN build seems a bit of o burden so I would appreciate > if someone could investigate a bit more. linux64 asan builds are available at ftp://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/ ftp://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-dbg-asan/ Some Mac asan try builds are available from https://people.mozilla.com/~choller/firefox/asan/
I can now repro reliably in FF23 and FF24, but not FF22. I see Alex set the status flag for FF22 to affected. Is that correct?
status-firefox24: --- → affected
Based on code inspection yes. This is a regression from Bug 827158
Flags: sec-bounty?
Comment on attachment 750010 [details] [diff] [review] patch sec-approval+ for m-c. Sorry, this somehow got lost in email and I didn't realize it was waiting. (I use filters to avoid this but I must be stupid or something.)
Attachment #750010 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/077682aeeb6a
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-firefox24: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Thanks. Please create and nominate patches for branches so we can avoid shipping this issue in a final release.
The patch is just waiting for branch approval.
Attachment #750010 - Flags: approval-mozilla-beta?
Attachment #750010 - Flags: approval-mozilla-beta+
Attachment #750010 - Flags: approval-mozilla-aurora?
Attachment #750010 - Flags: approval-mozilla-aurora+
Ah, I missed that. I see it has approval now.
Group: dom-core-security
What is this dom-core-security group and why can't I see bugs in it?
Dan Veditz is organizing a new hierarchy of security groups that should wind up being relatively painless to give more people access to security bugs in their own areas.
The new sec groups are a work in progress and thus they should not actually be used yet, but David and I got excited about them when we saw them and started flagging things when we shouldn't have. :)
Ok. I hope bugzilla is smart enough to take the union of groups and not the intersection ...
"Only users in all of the selected groups can view this bug:" It sounded like union was not available.
Doesn't sound like that will help give more people access then.
Where can I find Win7 64bit ASAN builds to reproduce and verify this bug?
Flags: needinfo?
(In reply to Ioana Budnar, QA [:ioana] from comment #30) > Where can I find Win7 64bit ASAN builds to reproduce and verify this bug? Matt, can you assist Ioana in verifying this bug?
Flags: needinfo?
Confirmed crash on FF23, 2013-05-20 Verified fixed on FF22, 2013-05-30 Verified fixed on FF23, 2013-05-30 Verified fixed on FF24, 2013-05-30 All ASan builds.
Status: RESOLVED → VERIFIED
Thanks Matt!
Flags: sec-bounty? → sec-bounty+
Keywords: qawanted
Whiteboard: [adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: