Closed Bug 932449 Opened 11 years ago Closed 11 years ago

Heap-use-after-free in mozilla::RestyleManager::GetHoverGeneration()

Categories

(Core :: DOM: Events, defect, P1)

Product:
Core
Component:
DOM: Events
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox25 --- wontfix
firefox26 --- verified
firefox27 --- verified
firefox28 + verified
firefox-esr17 --- wontfix
firefox-esr24 --- fixed
b2g18 --- fixed
b2g-v1.1hd --- fixed
b2g-v1.2 --- fixed

People

(Reporter: attekett, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: csectype-uaf, reporter-external, sec-critical, Whiteboard: [reporter-external][fixed in bug 930381 but not a dupe][adv-main26+][adv-esr24.2+])

Attachments

(2 files)

repro.html
452 bytes, text/html
Details
run.html
257 bytes, text/html
Details
Attached file repro.html
Tested in: OS: Ubuntu 12.04 Firefox: debug ASAN-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan-debug/1383057658/ Repro-file has two parts. run.html opens repro.html in an iframe and reloads it with 400ms interval via onload-event. To reproduce the issue open run.html with Firefox and move mouse cursor into the area of the iframe on the page. ASAN-report: ==15391==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170001e8f1c at pc 0x7f031be759fe bp 0x7ffffaed2b20 sp 0x7ffffaed2b18 READ of size 4 at 0x6170001e8f1c thread T0 #0 0x7f031be759fd in mozilla::RestyleManager::GetHoverGeneration() const /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/RestyleManager.h:75:0 #1 0x7f031be7594e in PresShell::DispatchSynthMouseMove(mozilla::WidgetGUIEvent*, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsPresShell.cpp:3416:0 #2 0x7f031be7f1b1 in PresShell::ProcessSynthMouseMoveEvent(bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsPresShell.cpp:5256:0 #3 0x7f031bea0d6d in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsRefreshDriver.cpp:1074:0 #4 0x7f031bea6d5d in mozilla::RefreshDriverTimer::Tick() /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsRefreshDriver.cpp:160:0 #5 0x7f031eb1ccb6 in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-d-0000000000000/build/xpcom/threads/nsTimerImpl.cpp:546:0 #6 0x7f031eb1d45e in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/xpcom/threads/nsTimerImpl.cpp:630:0 #7 0x7f031eb141ce in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/xpcom/threads/nsThread.cpp:622:0 #8 0x7f031ea6501f in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/xpcom/glue/nsThreadUtils.cpp:251:0 #9 0x7f031dc72e77 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/ipc/glue/MessagePump.cpp:85:0 #10 0x7f031ebff270 in MessageLoop::RunInternal() /builds/slave/m-cen-l64-asan-d-0000000000000/build/ipc/chromium/src/base/message_loop.cc:220:0 #11 0x7f031ebff074 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/ipc/chromium/src/base/message_loop.cc:187:0 #12 0x7f031da8dfd0 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:161:0 #13 0x7f031d5f7ad5 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/toolkit/components/startup/nsAppStartup.cpp:268:0 #14 0x7f031b438c3b in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-d-0000000000000/build/toolkit/xre/nsAppRunner.cpp:3976:0 #15 0x7f031b439fa8 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/toolkit/xre/nsAppRunner.cpp:4044:0 #16 0x7f031b43a925 in XRE_main /builds/slave/m-cen-l64-asan-d-0000000000000/build/toolkit/xre/nsAppRunner.cpp:4246:0 #17 0x45a0f5 in do_main(int, char**, nsIFile*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/browser/app/nsBrowserApp.cpp:275:0 #18 0x459667 in main /builds/slave/m-cen-l64-asan-d-0000000000000/build/browser/app/nsBrowserApp.cpp:635:0 #19 0x7f032bb8676c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226:0 #20 0x45937c in _start ??:0 0x6170001e8f1c is located 28 bytes inside of 760-byte region [0x6170001e8f00,0x6170001e91f8) freed by thread T0 here: #0 0x446285 in __interceptor_free _asan_rtl_:0 #1 0x7f031be5fc05 in operator delete(void*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/obj-firefox/layout/base/../../dist/include/mozilla/mozalloc.h:225:0 #2 0x7f031be5fc05 in mozilla::RestyleManager::Release() /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/RestyleManager.h:38:0 #3 0x7f031be5682d in nsRefPtr<mozilla::RestyleManager>::operator=(mozilla::RestyleManager*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/obj-firefox/layout/base/../../dist/include/nsAutoPtr.h:943:0 #4 0x7f031be526aa in nsPresContext::SetShell(nsIPresShell*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsPresContext.cpp:1109:0 #5 0x7f031be66efd in PresShell::Destroy() /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsPresShell.cpp:1058:0 #6 0x7f031be0cc56 in nsDocumentViewer::DestroyPresShell() /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsDocumentViewer.cpp:4334:0 #7 0x7f031be0f3ba in nsDocumentViewer::Hide() /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsDocumentViewer.cpp:2023:0 #8 0x7f031eefbc78 in nsDocShell::SetVisibility(bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/docshell/base/nsDocShell.cpp:5523:0 #9 0x7f031eefbcd3 in non-virtual thunk to nsDocShell::SetVisibility(bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/docshell/base/nsDocShell.cpp:5527:0 #10 0x7f031c489097 in nsFrameLoader::Hide() /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/base/src/nsFrameLoader.cpp:997:0 #11 0x7f031c031d78 in nsHideViewer::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/generic/nsSubDocumentFrame.cpp:780:0 #12 0x7f031c3c4b6d in nsContentUtils::RemoveScriptBlocker() /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/base/src/nsContentUtils.cpp:4786:0 #13 0x7f031c406f1d in nsDocument::EndUpdate(unsigned int) /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/base/src/nsDocument.cpp:4471:0 #14 0x7f031c80cdc6 in nsHTMLDocument::EndUpdate(unsigned int) /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/html/document/src/nsHTMLDocument.cpp:2427:0 #15 0x7f031bf9ed7f in mozAutoDocUpdate::~mozAutoDocUpdate() /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/base/src/mozAutoDocUpdate.h:38:0 #16 0x7f031c4c36e7 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/base/src/nsINode.cpp:1522:0 #17 0x7f031c3626f7 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/base/src/FragmentOrElement.cpp:963:0 #18 0x7f031c4bdc1b in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/base/src/nsINode.cpp:458:0 #19 0x7f031e5b17b2 in mozilla::dom::NodeBinding::removeChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/obj-firefox/dom/bindings/./NodeBinding.cpp:628:0 #20 0x7f031e5af0ed in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/obj-firefox/dom/bindings/./NodeBinding.cpp:1231:0 #21 0x7f0320495683 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/js/src/jscntxtinlines.h:220:0 #22 0x7f0320494d95 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-d-0000000000000/build/js/src/vm/Interpreter.cpp:455:16 #23 0x7f03204889cd in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/js/src/vm/Interpreter.cpp:2499:0 #24 0x7f032047766b in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/js/src/vm/Interpreter.cpp:419:0 #25 0x7f0320494ee7 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-d-0000000000000/build/js/src/vm/Interpreter.cpp:481:0 #26 0x7f0320495a4c in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-d-0000000000000/build/js/src/vm/Interpreter.cpp:512:0 #27 0x7f0320324228 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/js/src/jsproxy.cpp:454:0 #28 0x7f03203ed791 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/js/src/jswrapper.cpp:454:0 #29 0x7f0320337801 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/js/src/jsproxy.cpp:2643:0 #30 0x7f032033b7f0 in proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/js/src/jsproxy.cpp:3037:0 previously allocated by thread T0 here: #0 0x4463c5 in malloc _asan_rtl_:0 #1 0x7f03258ee7d7 in moz_xmalloc /builds/slave/m-cen-l64-asan-d-0000000000000/build/memory/mozalloc/mozalloc.cpp:54:0 #2 0x7f031be56062 in operator new(unsigned long) /builds/slave/m-cen-l64-asan-d-0000000000000/build/obj-firefox/layout/base/../../dist/include/mozilla/mozalloc.h:201:0 #3 0x7f031be56062 in nsPresContext::Init(nsDeviceContext*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsPresContext.cpp:931:0 #4 0x7f031be0ead3 in nsDocumentViewer::Show() /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsDocumentViewer.cpp:1946:0 #5 0x7f031eefbc78 in nsDocShell::SetVisibility(bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/docshell/base/nsDocShell.cpp:5523:0 #6 0x7f031eefbcd3 in non-virtual thunk to nsDocShell::SetVisibility(bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/docshell/base/nsDocShell.cpp:5527:0 #7 0x7f031c48855d in nsFrameLoader::Show(int, int, int, int, nsSubDocumentFrame*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/base/src/nsFrameLoader.cpp:846:0 #8 0x7f031c02c295 in nsSubDocumentFrame::ShowViewer() /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/generic/nsSubDocumentFrame.cpp:188:27 #9 0x7f031c031e98 in AsyncFrameInit::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/generic/nsSubDocumentFrame.cpp:82:0 #10 0x7f031c3c4b6d in nsContentUtils::RemoveScriptBlocker() /builds/slave/m-cen-l64-asan-d-0000000000000/build/content/base/src/nsContentUtils.cpp:4786:0 #11 0x7f031bd8eb0d in nsAutoScriptBlocker::~nsAutoScriptBlocker() /builds/slave/m-cen-l64-asan-d-0000000000000/build/obj-firefox/toolkit/components/places/../../../dist/include/nsContentUtils.h:2200:0 #12 0x7f031be775cd in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsPresShell.cpp:3831:0 #13 0x7f031bea152a in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsRefreshDriver.cpp:1139:0 #14 0x7f031bea6d5d in mozilla::RefreshDriverTimer::Tick() /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsRefreshDriver.cpp:160:0 #15 0x7f031eb1ccb6 in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-d-0000000000000/build/xpcom/threads/nsTimerImpl.cpp:546:0 #16 0x7f031eb1d45e in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/xpcom/threads/nsTimerImpl.cpp:630:0 #17 0x7f031eb141ce in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/xpcom/threads/nsThread.cpp:622:0 #18 0x7f031ea6501f in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/xpcom/glue/nsThreadUtils.cpp:251:0 #19 0x7f031dc72e77 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/ipc/glue/MessagePump.cpp:85:0 #20 0x7f031ebff270 in MessageLoop::RunInternal() /builds/slave/m-cen-l64-asan-d-0000000000000/build/ipc/chromium/src/base/message_loop.cc:220:0 #21 0x7f031ebff074 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/ipc/chromium/src/base/message_loop.cc:187:0 #22 0x7f031da8dfd0 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:161:0 #23 0x7f031d5f7ad5 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/toolkit/components/startup/nsAppStartup.cpp:268:0 #24 0x7f031b438c3b in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-d-0000000000000/build/toolkit/xre/nsAppRunner.cpp:3976:0 #25 0x7f031b439fa8 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/toolkit/xre/nsAppRunner.cpp:4044:0 #26 0x7f031b43a925 in XRE_main /builds/slave/m-cen-l64-asan-d-0000000000000/build/toolkit/xre/nsAppRunner.cpp:4246:0 #27 0x45a0f5 in do_main(int, char**, nsIFile*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/browser/app/nsBrowserApp.cpp:275:0 #28 0x459667 in main /builds/slave/m-cen-l64-asan-d-0000000000000/build/browser/app/nsBrowserApp.cpp:635:0 #29 0x7f032bb8676c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226:0 Shadow bytes around the buggy address: 0x0c2e80035190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e800351a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e800351b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e800351c0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa 0x0c2e800351d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2e800351e0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e800351f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80035200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80035210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80035220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80035230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==15391==ABORTING In addition to ASAN-output the debug-build also throws few assertions but I'm not sure if those are directly related. ###!!! ASSERTION: non-root reflow roots must not have scrollable overflow: 'target == rootFrame || desiredSize.ScrollableOverflow().IsEqualEdges(boundsRelativeToTarget)', file /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/base/nsPresShell.cpp, line 7937 ###!!! ASSERTION: Shouldn't have unconstrained stuff here thanks to ComputeAutoSize: 'NS_INTRINSICSIZE != aReflowState.ComputedHeight()', file /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/generic/nsLeafFrame.cpp, line 75
Attached file run.html
hmm, is this a dup of bug 930381
haven't managed to reproduce this though.
For me it reproduced pretty easily, just by opening the run.html into Firefox and moving mouse cursor from outside of the iframe into the area of the iframe.
I can reproduce the heap-use-after-free in GetHoverGeneration easily. The fix in bug 930381 seems to fix that. (I now get a crash during GC instead which I suspect is an unrelated problem.)
Severity: normal → critical
Depends on: CVE-2013-5613
Actually, I can still reproduce this crash with the patch in bug 930381 applied. So I think that patch is insufficient and I've attached an additional patch there.
Keywords: csec-uaf, sec-critical
Priority: -- → P1
Flags: sec-bounty?
Whiteboard: [reporter-external]
Is this effectively a dupe of 930381 (leaving aside whether we give Atte a bounty)?
Yeah, it's the same underlying issue. That said, it might deserve a bounty since it demonstrated that the fix in 930381 was incomplete, saving us from shipping a use-after-free issue. I feel like it should at least be shared with 930381 since they independently discovered the same issue. Just my 2 cents :-)
Assignee: nobody → matspal
status-firefox28: --- → affected
tracking-firefox28: --- → +
Whiteboard: [reporter-external] → [reporter-external][fixed by bug 930381]
(In reply to Mats Palmgren (:mats) from comment #6) > Actually, I can still reproduce this crash with the patch in bug 930381 > applied. > So I think that patch is insufficient and I've attached an additional patch > there. There is no additional patch. Did you forget to attach it?
Flags: needinfo?(matspal)
Sorry, you put the patch in the other bug.
Flags: needinfo?(matspal)
Mats: Presumably this is fixed in all the branches bug 930381 is?
Flags: needinfo?(matspal)
Whiteboard: [reporter-external][fixed by bug 930381] → [reporter-external][fixed in bug 930381 but not a dupe]
Yes, both patches landed together (in same cset) on all the relevant branches.
Status: NEW → RESOLVED
Closed: 11 years ago
status-b2g18: --- → fixed
status-b2g-v1.1hd: --- → fixed
status-b2g-v1.2: --- → fixed
status-firefox25: --- → wontfix
status-firefox26: --- → fixed
status-firefox27: --- → fixed
status-firefox28: affectedfixed
status-firefox-esr17: --- → wontfix
status-firefox-esr24: --- → fixed
Flags: needinfo?(matspal) → in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Flags: sec-bounty? → sec-bounty+
Whiteboard: [reporter-external][fixed in bug 930381 but not a dupe] → [reporter-external][fixed in bug 930381 but not a dupe][adv-main26+][adv-esr24.2+]
Confirmed crash on FF27, 2013-10-23. Verified fixed on FF26/27/28, 2013-12-03. Asserts are still there. I assume we're not concerned with those.
status-firefox26: fixedverified
status-firefox27: fixedverified
status-firefox28: fixedverified
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: