Closed Bug 930265 Opened 12 years ago Closed 12 years ago

heap-buffer-overflow in libxul.so!nsComputedDOMStyle::GetStyleContextForElementNoFlush

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Version:
27 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 930281

People

(Reporter: tsmith, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dupe 930281])

Crash Data

Attachments

(3 files)

AB1FA7F2-193085.html
8.32 KB, text/html
Details
crash stack (nsGfxScrollFrameInner::IsLTR)
9.12 KB, text/plain
Details
stack for assertion "Inserting node that already has parent: '!aKid->GetParentNode()'"
3.44 KB, text/plain
Details
Found by the BlackBerry Security Automated Analysis Team's fuzzing framework ALF. ==29710==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00036c3b8 at pc 0x7f57370f07b0 bp 0x7fff28c84b90 sp 0x7fff28c84b88 READ of size 4 at 0x60d00036c3b8 thread T0 #0 0x7f57370f07af (libxul.so!nsComputedDOMStyle::GetStyleContextForElementNoFlush(mozilla::dom::Element*, nsIAtom*, nsIPresShell*, nsComputedDOMStyle::StyleType)+0x66f) Line 129 of "/builds/slave/m-in-l64-asan-0000000000000000/build/layout/style/nsStyleContext.h" #1 0x7f573830496f (libxul.so!nsEditor::IsPreformatted(nsIDOMNode*, bool*)+0x36f) Line 3887 of "/builds/slave/m-in-l64-asan-0000000000000000/build/editor/libeditor/base/nsEditor.cpp" #2 0x7f57385a70d2 (libxul.so!nsWSRunObject::GetRuns()+0x192) Line 908 of "/builds/slave/m-in-l64-asan-0000000000000000/build/editor/libeditor/html/nsWSRunObject.cpp" #3 0x7f573851d1bb (libxul.so!nsHTMLEditor::BeginningOfDocument()+0x36b) Line 522 of "/builds/slave/m-in-l64-asan-0000000000000000/build/editor/libeditor/html/nsHTMLEditor.cpp" #4 0x7f573853ed60 (libxul.so!nsHTMLEditor::ResetRootElementAndEventTarget()+0x1f0) Line 5268 of "/builds/slave/m-in-l64-asan-0000000000000000/build/editor/libeditor/html/nsHTMLEditor.cpp" #5 0x7f57385525dc (libxul.so!nsRunnableMethodImpl<void (nsHTMLEditor::*)(), void, true>::Run()+0x6c) Line 382 of "../../../dist/include/nsThreadUtils.h" #6 0x7f57374a6835 (libxul.so!nsContentUtils::RemoveScriptBlocker()+0x175) Line 4772 of "/builds/slave/m-in-l64-asan-0000000000000000/build/content/base/src/nsContentUtils.cpp" #7 0x7f5737537882 (libxul.so!nsDocument::EndUpdate(unsigned int)+0x362) Line 4469 of "/builds/slave/m-in-l64-asan-0000000000000000/build/content/base/src/nsDocument.cpp" #8 0x7f5737a7d5a2 (libxul.so!nsHTMLDocument::EndUpdate(unsigned int)+0x42) Line 2427 of "/builds/slave/m-in-l64-asan-0000000000000000/build/content/html/document/src/nsHTMLDocument.cpp" #9 0x7f573843d9ca (libxul.so!nsHtml5TreeOpExecutor::DidBuildModel(bool)+0x12a) Line 246 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeOpExecutor.h" #10 0x7f573844ae40 (libxul.so!nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**)+0x2860) Line 657 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeOperation.cpp" #11 0x7f573843ecf7 (libxul.so!nsHtml5TreeOpExecutor::RunFlushLoop()+0x957) Line 524 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeOpExecutor.cpp" #12 0x7f57383b96d8 (libxul.so!nsHtml5ExecutorFlusher::Run()+0x38) Line 131 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5StreamParser.cpp" #13 0x7f573a8f4de9 (libxul.so!nsThread::ProcessNextEvent(bool, bool*)+0xaa9) Line 622 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp" #14 0x7f573a81cf01 (libxul.so!NS_ProcessNextEvent(nsIThread*, bool)+0xb1) Line 238 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp" #15 0x7f57394a8481 (libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x311) Line 85 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp" #16 0x7f573aa12d43 (libxul.so!MessageLoop::Run()+0x1c3) Line 220 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc" #17 0x7f573927bd5c (libxul.so!nsBaseAppShell::Run()+0x5c) Line 161 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp" #18 0x7f5738c67fee (libxul.so!nsAppStartup::Run()+0xbe) Line 268 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/components/startup/nsAppStartup.cpp" #19 0x7f57360f33f5 (libxul.so!XREMain::XRE_mainRun()+0x1e05) Line 3886 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #20 0x7f57360f432a (libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*)+0x4fa) Line 3954 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #21 0x7f57360f525b (libxul.so!XRE_main+0x3ab) Line 4156 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #22 0x459b8d (firefox!main+0x94d) Line 275 of "/builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp" #23 0x7f574583076c (libc.so.6!__libc_start_main+0xec) Line 226 of "libc-start.c" #24 0x45910c (firefox!_start+0x28) 0x60d00036c3b8 is located 16 bytes to the right of 136-byte region [0x60d00036c320,0x60d00036c3a8) allocated by thread T0 here: #0 0x446155 (firefox!malloc+0x55) Line 74 of "/builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc" #1 0x7f573f8f75c8 (libmozalloc.so!moz_xmalloc+0x8) Line 54 of "/builds/slave/m-in-l64-asan-0000000000000000/build/memory/mozalloc/mozalloc.cpp" #2 0x7f573844cbea (libxul.so!nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**)+0x460a) Line 344 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeOperation.cpp" #3 0x7f573843ecf7 (libxul.so!nsHtml5TreeOpExecutor::RunFlushLoop()+0x957) Line 524 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5TreeOpExecutor.cpp" #4 0x7f57383b96d8 (libxul.so!nsHtml5ExecutorFlusher::Run()+0x38) Line 131 of "/builds/slave/m-in-l64-asan-0000000000000000/build/parser/html/nsHtml5StreamParser.cpp" #5 0x7f573a81cf01 (libxul.so!NS_ProcessNextEvent(nsIThread*, bool)+0xb1) Line 238 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp" #6 0x7f57394a8481 (libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x311) Line 85 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp" #7 0x7f573aa12d43 (libxul.so!MessageLoop::Run()+0x1c3) Line 220 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc" #8 0x7f573927bd5c (libxul.so!nsBaseAppShell::Run()+0x5c) Line 161 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp" #9 0x7f57360f432a (libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*)+0x4fa) Line 3954 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #10 0x7f57360f525b (libxul.so!XRE_main+0x3ab) Line 4156 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #11 0x459b8d (firefox!main+0x94d) Line 275 of "/builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp" #12 0x7f574583076c (libc.so.6!__libc_start_main+0xec) Line 226 of "libc-start.c" Shadow bytes around the buggy address: 0x0c1a80065820: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 0x0c1a80065830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a80065840: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00 0x0c1a80065850: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c1a80065860: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c1a80065870: 00 00 00 00 00 fa fa[fa]fa fa fa fa fa fa fd fd 0x0c1a80065880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c1a80065890: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c1a800658a0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c1a800658b0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a800658c0: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==29710==ABORTING
Attached file AB1FA7F2-193085.html
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, sec-high, testcase
Also crashes a non-ASan Nightly: bp-c45dbada-7685-4541-8d9f-90c6c2131024 Not sure if this is layout or editor
Crash Signature: [@ nsGlobalWindow::GetOnemptied() ]
Component: General → Layout
Keywords: csec-bounds, sec-high
Product: Firefox → Core
I get a different crash stack (Linux64 debug -inbound build). Crashing at nsGfxScrollFrameInner::IsLTR.
There's plenty of assertions leading up to the crash, this is the stack for the first one.
Bug 930281 has the same crash signature as my crash so I tried the patch there and it makes the assertions and crash go away, so I strongly suspect this is the same underlying issue. Olli, Henri, can you confirm?
Severity: normal → critical
Component: Layout → HTML: Parser
This is the same bug, yeah.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 930281]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: