Closed Bug 832644 Opened 12 years ago Closed 12 years ago

Heap-use-after-free in mozilla::ResetDir

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 + fixed
firefox21 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: inferno, Assigned: smontagu)

References

Details

(5 keywords, Whiteboard: [asan][adv-main20-])

Attachments

(3 files)

Testcase
(deleted), text/html
Details
Testcase for checkin (after the bug is opened)
(deleted), patch
Details | Diff | Splinter Review
Patch
(deleted), patch
ehsan.akhgari
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file Testcase (deleted) —
Reproduces on trunk. >==27890== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fddcd62ce2c at pc 0x7fddef412ef3 bp 0x7ffffecdddf0 sp 0x7ffffecddde8 >READ of size 4 at 0x7fddcd62ce2c thread T0 > #0 0x7fddef412ef2 in nsINode::GetBoolFlag(nsINode::BooleanFlag) const src/content/base/public/nsINode.h:1348 > #1 0x7fddf12cdd9e in nsINode::HasTextNodeDirectionalityMap() const src/../../../dist/include/nsINode.h:1431 > #2 0x7fddf12cc8d7 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) src/content/base/src/DirectionalityUtils.cpp:506 > #3 0x7fddf12d3f6f in mozilla::ResetDir(mozilla::dom::Element*) src/content/base/src/DirectionalityUtils.cpp:918 > #4 0x7fddf18eaa27 in mozilla::dom::Element::UnbindFromTree(bool, bool) src/content/base/src/Element.cpp:1362 > #5 0x7fddf28800bc in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:656 > #6 0x7fddf18ead55 in mozilla::dom::Element::UnbindFromTree(bool, bool) src/content/base/src/Element.cpp:1375 > #7 0x7fddf28800bc in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:656 > #8 0x7fddf19c3583 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) src/content/base/src/nsINode.cpp:1387 > #9 0x7fddf1db63a3 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:894 > #10 0x7fddf19c5215 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/content/base/src/nsINode.cpp:1659 > #11 0x7fddf19112fd in nsINode::InsertBefore(nsINode&, nsINode*, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1538 > #12 0x7fddfc55cfc4 in mozilla::dom::NodeBinding::insertBefore(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:508 > #13 0x7fddfc4f5936 in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:1390 > #14 0x7fde0528f9ba in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378 > #15 0x7fde0528f9ba in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391 > #16 0x7fde052402ce in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2385 > #17 0x7fde051a0d8b in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348 > #18 0x7fde0529d205 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:537 > #19 0x7fde0529eda5 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:576 > #20 0x7fde04a08bae in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5650 > #21 0x7fddf3fdf939 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject&, JS::CompileOptions&, bool, JS::Value*) src/dom/base/nsJSEnvironment.cpp:1275 > #22 0x7fddf41b1767 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9755 > #23 0x7fddf4165e9f in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:10007 > #24 0x7fddf41af7d9 in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10276 > #25 0x7fddfd788bfb in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:482 > #26 0x7fddfd78a084 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:565 > #27 0x7fddfd74c4cf in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627 > #28 0x7fddfd3c0e55 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238 > #29 0x7fddfa7d188c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 > #30 0x7fddfda438e2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215 > #31 0x7fddfda43719 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208 > #32 0x7fddfda435ee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182 > #33 0x7fddf9b8ba77 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 > #34 0x7fddf8697425 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288 > #35 0x7fdded8ffa04 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823 > #36 0x7fdded9055ea in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890 > #37 0x7fdded9083c0 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093 > #38 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195 > #39 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388 > #40 0x7fde1052976c in >0x7fddcd62ce2c is located 44 bytes inside of 120-byte region [0x7fddcd62ce00,0x7fddcd62ce78) >freed by thread T0 here: > #0 0x40f992 in __interceptor_free > #1 0x7fde0d9a9409 in moz_free src/memory/mozalloc/mozalloc.cpp:48 > #2 0x7fddf1c26800 in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224 > #3 0x7fddf1c26800 in nsTextNode::~nsTextNode() src/content/base/src/nsTextNode.cpp:117 > #4 0x7fddf1aebcf7 in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:258 > #5 0x7fddf1965ad0 in nsGenericDOMDataNode::Release() src/content/base/src/nsGenericDOMDataNode.cpp:115 > #6 0x7fddf1c26cfa in nsTextNode::Release() src/content/base/src/nsTextNode.cpp:121 > #7 0x7fdded8c94ef in nsCOMPtr_base::~nsCOMPtr_base() src/objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:410 > #8 0x7fddef6c7b3c in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449 > #9 0x7fddef6c7809 in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449 > #10 0x7fddf1db63ad in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:896 > #11 0x7fddf2b5562c in nsHTMLFieldSetElement::RemoveChildAt(unsigned int, bool) src/content/html/content/src/nsHTMLFieldSetElement.cpp:218 > #12 0x7fddf190bfc1 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) src/content/base/src/Element.cpp:3376 > #13 0x7fddfbd89774 in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:1689 > #14 0x7fddfbd721c8 in mozilla::dom::ElementBinding::genericSetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:2031 > #15 0x7fde0528f9ba in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378 > #16 0x7fde0528f9ba in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391 > #17 0x7fde04b2134f in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112 > #18 0x7fde05295789 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #19 0x7fde0529bc05 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512 > #20 0x7fde0553e1b8 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:314 > #21 0x7fde05579134 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>, int) src/js/src/jsobj.cpp:3841 > #22 0x7fde052d0268 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/jsinterpinlines.h:367 > #23 0x7fde0523017d in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2278 > #24 0x7fde051a0d8b in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348 > #25 0x7fde0529030e in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406 > #26 0x7fde04b2134f in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112 > #27 0x7fde05295789 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #28 0x7fde04a15b62 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5831 > #29 0x7fddf7757815 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432 > #30 0x7fddf76f84a0 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:579 > #31 0x7fddfd88147f in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122 >previously allocated by thread T0 here: > #0 0x40fa72 in malloc > #1 0x7fde0d9a9554 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54 > #2 0x7fddf1c26020 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200 > #3 0x7fddf1c26020 in NS_NewTextNode(nsIContent**, nsNodeInfoManager*) src/content/base/src/nsTextNode.cpp:106 > #4 0x7fddf554e08e in nsHtml5TreeOperation::AppendText(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) src/parser/html/nsHtml5TreeOperation.cpp:164 > #5 0x7fddf5559317 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:457 > #6 0x7fddf5577476 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:559 > #7 0x7fddf55b548d in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:125 > #8 0x7fddfd74c4cf in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627 > #9 0x7fddfd3c0e55 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238 > #10 0x7fddfa7d188c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 > #11 0x7fddfda438e2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215 > #12 0x7fddfda43719 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208 > #13 0x7fddfda435ee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182 > #14 0x7fddf9b8ba77 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 > #15 0x7fddf8697425 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288 > #16 0x7fdded8ffa04 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823 > #17 0x7fdded9055ea in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890 > #18 0x7fdded9083c0 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093 > #19 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195 > #20 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388 > #21 0x7fde1052976c in >Shadow bytes around the buggy address: > 0x1ffbb9ac5970: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > 0x1ffbb9ac5980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1ffbb9ac5990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1ffbb9ac59a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1ffbb9ac59b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >=>0x1ffbb9ac59c0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd > 0x1ffbb9ac59d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x1ffbb9ac59e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x1ffbb9ac59f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x1ffbb9ac5a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1ffbb9ac5a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap righ redzone: fb > Freed Heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > ASan internal: fe >Stats: 252M malloced (543M for red zones) by 407601 calls >Stats: 47M realloced by 24387 calls >Stats: 217M freed by 275291 calls >Stats: 106M really freed by 200508 calls >Stats: 616M (616M-0M) mmaped; 154 maps, 0 unmaps > mmaps by size class: 10:253890; 11:12282; 12:3072; 13:1536; 14:1280; 15:384; 16:1152; 17:1280; 18:48; 19:40; 20:24; > mallocs by size class: 10:378224; 11:19749; 12:2786; 13:1828; 14:1597; 15:423; 16:1496; 17:1366; 18:69; 19:40; 20:23; > frees by size class: 10:251314; 11:16722; 12:1506; 13:1361; 14:1426; 15:298; 16:1201; 17:1348; 18:57; 19:38; 20:20; > rfrees by size class: 10:185907; 11:10750; 12:772; 13:654; 14:682; 15:188; 16:1014; 17:510; 18:26; 19:4; 20:1; >Stats: malloc large: 1498 small slow: 4544 >Stats: StackDepot: 0 ids; 0M mapped >==27890== ABORTING > > >
Guessing "csec-uaf, sec-critical" based on bug 819623 with similar stack.
Blocks: DirAuto
Severity: normal → critical
Keywords: crash, csec-uaf, regression, sec-critical, testcase
Whiteboard: [asan]
Attached patch Patch (deleted) — Splinter Review
This is a rather subtle bug: when testing for bdi to give it default auto-direction we should have excluded bdi with explicit dir=auto.
Attachment #706868 - Flags: review?(ehsan)
Attachment #706868 - Flags: review?(ehsan) → review+
https://hg.mozilla.org/mozilla-central/rev/775f4a00acee
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox21: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Comment on attachment 706868 [details] [diff] [review] Patch [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 548206 (or one of its followups) User impact if declined: critical security vulnerability Testing completed (on m-c, etc.): Baked on m-c since 2013-01-28 Risk to taking this patch (and alternatives if risky): Minimal String or UUID changes made by this patch: None
Attachment #706868 - Flags: approval-mozilla-aurora?
Attachment #706868 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [asan] → [asan][adv-main20+]
Whiteboard: [asan][adv-main20+] → [asan][adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: