Closed
Bug 1417057
Opened 7 years ago
Closed 6 years ago
stylo: Crash in style::stylist::CascadeData::clear_cascade_data
Categories
(Core :: CSS Parsing and Computation, defect, P3)
Tracking
()
RESOLVED
INACTIVE
People
(Reporter: marcia, Assigned: svoisen)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [sec-triage-backlog])
Crash Data
This bug was filed from the Socorro interface and is
report bp-e4db3c04-42e9-415a-9a8d-14ae70171113.
=============================================================
Seen while looking at crash stats: http://bit.ly/2moNMWi. Crashes are seen in 59/58 and 57. Marking as sec sensitive since several crashes appear to be UAF (https://crash-stats.mozilla.com/report/index/471e1461-81a7-43e4-9a47-a9f450171110 is one example)
URLs
https://outlook.office.com/
https://gomovies.pet/film/game-of-thrones-season-2-1621.k5yJ/watching.html?ep=783562
https://www.facebook.com/
http://www.lolesports.com/en_US/worlds/world_championship_2017/matches/elimination/R3M1
https://www.eprice.it/carrello.aspx
Top 10 frames of crashing thread:
0 xul.dll style::stylist::CascadeData::clear_cascade_data servo/components/style/stylist.rs:2216
1 xul.dll style::stylist::CascadeData::clear servo/components/style/stylist.rs:2227
2 xul.dll geckoservo::glue::Servo_StyleSet_FlushStyleSheets servo/ports/geckolib/glue.rs:1098
3 xul.dll mozilla::ServoStyleSet::UpdateStylist layout/style/ServoStyleSet.cpp:1434
4 xul.dll nsIDocument::FlushUserFontSet dom/base/nsDocument.cpp:13489
5 xul.dll nsIDocument::GetUserFontSet dom/base/nsDocument.cpp:13466
6 xul.dll nsDocLoader::DocLoaderIsEmpty uriloader/base/nsDocLoader.cpp:698
7 xul.dll nsDocLoader::OnStopRequest uriloader/base/nsDocLoader.cpp:632
8 xul.dll mozilla::net::nsLoadGroup::RemoveRequest netwerk/base/nsLoadGroup.cpp:629
9 xul.dll nsDocument::DoUnblockOnload dom/base/nsDocument.cpp:9292
=============================================================
Updated•7 years ago
|
status-firefox-esr52:
--- → unaffected
Comment 1•7 years ago
|
||
[Tracking Requested - why for this release]: new UAF
tracking-firefox58:
--- → ?
tracking-firefox59:
--- → ?
Comment 2•7 years ago
|
||
Per IRL discussion, Emilio said he could take a look to see if this is a variant of some of our known Stylo fuzz bugs.
Flags: needinfo?(emilio)
Comment 3•7 years ago
|
||
This is probably just the hashmaps crashes from bug 1406996... It's not clear to me it's UAF, but it could be (when I was investigating bug 1414999, the old pres context memory was clobbered by the style hashmaps, so if we manage to get along without noticing...)
Flags: needinfo?(emilio)
Updated•7 years ago
|
Blocks: stylo-crash-reports
Crash Signature: [@ style::stylist::CascadeData::clear_cascade_data] → [@ style::stylist::CascadeData::clear]
[@ style::stylist::CascadeData::clear_cascade_data]
[@ shutdownhang | style::stylist::CascadeData::clear_cascade_data]
OS: Windows 10 → Windows
Priority: -- → P3
Comment 4•7 years ago
|
||
(In reply to Emilio Cobos Álvarez [:emilio] from comment #3)
> It's not clear to me it's UAF
bp-5b24d6fc-d6e4-4cdf-95d0-177430171115 seems to be using free-poisoned addresses. There's a small chance it's something uninitialized and allocated on a freed chunk, but UAF is a better bet.
Depends on: stylo-hashmap-crashes
Keywords: csectype-uaf,
sec-high
Updated•7 years ago
|
Updated•7 years ago
|
Comment 5•7 years ago
|
||
This crash is very low volume. There were only about 100 crash reports across all channels last week.
Summary: Crash in style::stylist::CascadeData::clear_cascade_data → stylo: Crash in style::stylist::CascadeData::clear_cascade_data
Reporter | ||
Updated•7 years ago
|
Crash Signature: [@ style::stylist::CascadeData::clear]
[@ style::stylist::CascadeData::clear_cascade_data]
[@ shutdownhang | style::stylist::CascadeData::clear_cascade_data] → [@ style::stylist::CascadeData::clear]
[@ style::stylist::CascadeData::clear_cascade_data]
[@ shutdownhang | style::stylist::CascadeData::clear_cascade_data]
[@ style::selector_map::MaybeCaseInsensitiveHashMap<T>::clear<T>]
Comment 6•7 years ago
|
||
Jet: please find appropriate folks to work on these security bugs.
Assignee: nobody → bugs
Comment 8•7 years ago
|
||
I told Freddy that I'll switch from the rust maps to OrderMap on nightly to see if that had any effect on the crash rate.
Flags: needinfo?(emilio)
Comment 10•7 years ago
|
||
Flags: needinfo?(emilio)
Comment 11•7 years ago
|
||
Still crashes with ordermap:
https://crash-stats.mozilla.com/search/?signature=~ordermap&date=%3E%3D2018-02-05T01%3A28%3A11.000Z&date=%3C2018-02-12T01%3A28%3A11.000Z&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature
Freddy, what should we do about this?
Flags: needinfo?(fbraun)
Comment 12•7 years ago
|
||
Back out and weep, I suppose.
Thank you for testing this, Emilio.
At least, it gives us confidence that the bug lies elsewhere.
Flags: needinfo?(fbraun)
Updated•7 years ago
|
Comment 13•7 years ago
|
||
Noting for the record that this bug is not actionable as it stands, per my discussion with Emilio.
Updated•7 years ago
|
Whiteboard: [sec-triage-backlog]
Assignee | ||
Updated•6 years ago
|
Assignee: bugs → svoisen
Updated•6 years ago
|
Group: layout-core-security
Status: NEW → RESOLVED
Crash Signature: [@ style::stylist::CascadeData::clear]
[@ style::stylist::CascadeData::clear_cascade_data]
[@ shutdownhang | style::stylist::CascadeData::clear_cascade_data]
[@ style::selector_map::MaybeCaseInsensitiveHashMap<T>::clear<T>] → [@ style::stylist::CascadeData::clear]
[@ style::stylist::CascadeData::clear_cascade_data]
[@ shutdownhang | style::stylist::CascadeData::clear_cascade_data]
[@ style::selector_map::MaybeCaseInsensitiveHashMap<T>::clear<T>]
[@ hashglobe::hash_map::Has…
Closed: 6 years ago
Keywords: testcase-wanted
Resolution: --- → INACTIVE
You need to log in
before you can comment on or make changes to this bug.
Description
•