Closed
Bug 1376703
Opened 7 years ago
Closed 7 years ago
heap-buffer-overflow in [@ RemoveElementFromMap]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-bounds, testcase-wanted)
I am working on getting a test case for this at the moment. I'm not 100% but this may also manifest as a heap UAF.
==18933==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0004e9c5c at pc 0x7f3e735c88ac bp 0x7ffcaa8a6fa0 sp 0x7ffcaa8a6f98
READ of size 4 at 0x60c0004e9c5c thread T0
#0 0x7f3e735c88ab in GetBoolFlag src/dom/base/nsINode.h:1589:12
#1 0x7f3e735c88ab in HasTextNodeDirectionalityMap src/dom/base/nsINode.h:1665
#2 0x7f3e735c88ab in RemoveElementFromMap src/dom/base/DirectionalityUtils.cpp:547
#3 0x7f3e735c88ab in mozilla::ResetDir(mozilla::dom::Element*) src/dom/base/DirectionalityUtils.cpp:1006
#4 0x7f3e735dd53b in mozilla::dom::Element::UnbindFromTree(bool, bool) src/dom/base/Element.cpp:1979:5
#5 0x7f3e759aad1a in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/dom/html/nsGenericHTMLElement.cpp:554:20
#6 0x7f3e735dd644 in mozilla::dom::Element::UnbindFromTree(bool, bool) src/dom/base/Element.cpp:1992:37
#7 0x7f3e759aad1a in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/dom/html/nsGenericHTMLElement.cpp:554:20
#8 0x7f3e735dd644 in mozilla::dom::Element::UnbindFromTree(bool, bool) src/dom/base/Element.cpp:1992:37
#9 0x7f3e759aad1a in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/dom/html/nsGenericHTMLElement.cpp:554:20
#10 0x7f3e75933c29 in mozilla::dom::HTMLSharedElement::UnbindFromTree(bool, bool) src/dom/html/HTMLSharedElement.cpp:292:25
#11 0x7f3e737b261a in nsDocument::cycleCollection::Unlink(void*) src/dom/base/nsDocument.cpp:1903:14
#12 0x7f3e759cf09d in nsHTMLDocument::cycleCollection::Unlink(void*) src/dom/html/nsHTMLDocument.cpp:213:1
#13 0x7f3e70b0c8a0 in nsCycleCollector::CollectWhite() src/xpcom/base/nsCycleCollector.cpp:3321:26
#14 0x7f3e70b0f0ba in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3673:24
#15 0x7f3e70b133c4 in FinishAnyCurrentCollection src/xpcom/base/nsCycleCollector.cpp:3736:3
#16 0x7f3e70b133c4 in PrepareForGarbageCollection src/xpcom/base/nsCycleCollector.cpp:3723
#17 0x7f3e70b133c4 in nsCycleCollector_prepareForGarbageCollection() src/xpcom/base/nsCycleCollector.cpp:4214
#18 0x7f3e70ae8656 in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus) src/xpcom/base/CycleCollectedJSRuntime.cpp:1437:7
#19 0x7f3e7c192f08 in callGCCallback src/js/src/jsgc.cpp:1461:9
#20 0x7f3e7c192f08 in AutoNotifyGCActivity src/js/src/jsgc.cpp:1485
#21 0x7f3e7c192f08 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) src/js/src/jsgc.cpp:6557
#22 0x7f3e7c1970c2 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) src/js/src/jsgc.cpp:6761:25
#23 0x7f3e7c16985e in js::gc::GCRuntime::startGC(JSGCInvocationKind, JS::gcreason::Reason, long) src/js/src/jsgc.cpp:6839:5
#24 0x7f3e7c1692ae in js::gc::GCRuntime::gcIfRequested() src/js/src/jsgc.cpp:7037:13
#25 0x7f3e7c65390a in InvokeInterruptCallback src/js/src/vm/Runtime.cpp:506:23
#26 0x7f3e7c65390a in JSContext::handleInterrupt() src/js/src/vm/Runtime.cpp:598
#27 0x7f3e7b6fd750 in CheckForInterrupt src/js/src/jscntxtinlines.h:413:20
#28 0x7f3e7b6fd750 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2450
#29 0x7f3e7b6df108 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:410:12
#30 0x7f3e7b710258 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:488:15
#31 0x7f3e7b710a82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:534:10
#32 0x7f3e7c071afb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2948:12
#33 0x7f3e74c88a67 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#34 0x7f3e755d3bbf in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#35 0x7f3e755d3bbf in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1139
#36 0x7f3e755d5ad2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1314:20
#37 0x7f3e755b5c31 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:464:16
#38 0x7f3e755b9102 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:824:9
#39 0x7f3e7558851a in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp:893:12
#40 0x7f3e738c60d1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/dom/base/nsINode.cpp:1343:5
#41 0x7f3e733fd6da in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString const&, bool, bool, bool, bool*, bool) src/dom/base/nsContentUtils.cpp:4396:18
#42 0x7f3e733fd49b in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString const&, bool, bool, bool*) src/dom/base/nsContentUtils.cpp:4364:10
#43 0x7f3e737dcb50 in nsDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5273:3
#44 0x7f3e7389fb42 in applyImpl<nsDocument, void (nsDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1138:12
#45 0x7f3e7389fb42 in apply<nsDocument, void (nsDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1144
#46 0x7f3e7389fb42 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1187
#47 0x7f3e70c643e8 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1422:14
#48 0x7f3e70c6a538 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:474:10
#49 0x7f3e71a2cca1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#50 0x7f3e71989820 in RunInternal src/ipc/chromium/src/base/message_loop.cc:320:10
#51 0x7f3e71989820 in RunHandler src/ipc/chromium/src/base/message_loop.cc:313
#52 0x7f3e71989820 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:293
#53 0x7f3e7701acef in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:156:27
#54 0x7f3e7b073d91 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:287:30
#55 0x7f3e7b2425d4 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4590:22
#56 0x7f3e7b244140 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4773:8
#57 0x7f3e7b245491 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4868:21
#58 0x4eb613 in do_main src/browser/app/nsBrowserApp.cpp:237:22
#59 0x4eb613 in main src/browser/app/nsBrowserApp.cpp:310
#60 0x7f3e8d2c482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#61 0x41d168 in _start (firefox+0x41d168)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow src/dom/base/nsINode.h:1589:12 in GetBoolFlag
Shadow bytes around the buggy address:
0x0c1880095330: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1880095340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1880095350: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880095360: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1880095370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1880095380: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa
0x0c1880095390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c18800953a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c18800953b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c18800953c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c18800953d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
|
Reporter | |
Comment 1•7 years ago
|
||
Found on m-c 20170627-8f80d594c08d
|
||
Comment 2•7 years ago
|
||
Did you encounter this again? Why do you think this is a11y related?
Flags: needinfo?(twsmith)
|
|
Reporter | |
Comment 3•7 years ago
|
||
Hmm, not sure why I did that, I'm going to assume I just had a11y on my mind (likely reducing another test case at the same time). Sorry about that.
Component: Disability Access APIs → DOM
Flags: needinfo?(twsmith)
|
||
Comment 4•7 years ago
|
||
Catalin, you've been looking at this area of code recently; can you take a look? This may be RTL-related?
Flags: needinfo?(catalin.badea392)
|
||
Comment 5•7 years ago
|
||
Tyson, can you still reproduce this? Comment 1 talks about build before bug 1346590 landed.
Flags: needinfo?(twsmith)
|
|
Reporter | |
Comment 6•7 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #5) > Tyson, can you still reproduce this? Comment 1 talks about build before bug > 1346590 landed. No I cannot repro, I will keep an eye open for new test cases. Please mark this as a dup if that is appropriate.
Flags: needinfo?(twsmith)
|
||
Comment 7•7 years ago
|
||
Reopen (or file a new bug) if this recurs.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
|
||
Updated•7 years ago
|
Flags: needinfo?(catalin.badea392)
|
Assignee | |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
|
|
||
Updated•5 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•