Closed
Bug 1376703
Opened 7 years ago
Closed 7 years ago
heap-buffer-overflow in [@ RemoveElementFromMap]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-bounds, testcase-wanted)
I am working on getting a test case for this at the moment. I'm not 100% but this may also manifest as a heap UAF. ==18933==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0004e9c5c at pc 0x7f3e735c88ac bp 0x7ffcaa8a6fa0 sp 0x7ffcaa8a6f98 READ of size 4 at 0x60c0004e9c5c thread T0 #0 0x7f3e735c88ab in GetBoolFlag src/dom/base/nsINode.h:1589:12 #1 0x7f3e735c88ab in HasTextNodeDirectionalityMap src/dom/base/nsINode.h:1665 #2 0x7f3e735c88ab in RemoveElementFromMap src/dom/base/DirectionalityUtils.cpp:547 #3 0x7f3e735c88ab in mozilla::ResetDir(mozilla::dom::Element*) src/dom/base/DirectionalityUtils.cpp:1006 #4 0x7f3e735dd53b in mozilla::dom::Element::UnbindFromTree(bool, bool) src/dom/base/Element.cpp:1979:5 #5 0x7f3e759aad1a in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/dom/html/nsGenericHTMLElement.cpp:554:20 #6 0x7f3e735dd644 in mozilla::dom::Element::UnbindFromTree(bool, bool) src/dom/base/Element.cpp:1992:37 #7 0x7f3e759aad1a in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/dom/html/nsGenericHTMLElement.cpp:554:20 #8 0x7f3e735dd644 in mozilla::dom::Element::UnbindFromTree(bool, bool) src/dom/base/Element.cpp:1992:37 #9 0x7f3e759aad1a in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/dom/html/nsGenericHTMLElement.cpp:554:20 #10 0x7f3e75933c29 in mozilla::dom::HTMLSharedElement::UnbindFromTree(bool, bool) src/dom/html/HTMLSharedElement.cpp:292:25 #11 0x7f3e737b261a in nsDocument::cycleCollection::Unlink(void*) src/dom/base/nsDocument.cpp:1903:14 #12 0x7f3e759cf09d in nsHTMLDocument::cycleCollection::Unlink(void*) src/dom/html/nsHTMLDocument.cpp:213:1 #13 0x7f3e70b0c8a0 in nsCycleCollector::CollectWhite() src/xpcom/base/nsCycleCollector.cpp:3321:26 #14 0x7f3e70b0f0ba in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3673:24 #15 0x7f3e70b133c4 in FinishAnyCurrentCollection src/xpcom/base/nsCycleCollector.cpp:3736:3 #16 0x7f3e70b133c4 in PrepareForGarbageCollection src/xpcom/base/nsCycleCollector.cpp:3723 #17 0x7f3e70b133c4 in nsCycleCollector_prepareForGarbageCollection() src/xpcom/base/nsCycleCollector.cpp:4214 #18 0x7f3e70ae8656 in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus) src/xpcom/base/CycleCollectedJSRuntime.cpp:1437:7 #19 0x7f3e7c192f08 in callGCCallback src/js/src/jsgc.cpp:1461:9 #20 0x7f3e7c192f08 in AutoNotifyGCActivity src/js/src/jsgc.cpp:1485 #21 0x7f3e7c192f08 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) src/js/src/jsgc.cpp:6557 #22 0x7f3e7c1970c2 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) src/js/src/jsgc.cpp:6761:25 #23 0x7f3e7c16985e in js::gc::GCRuntime::startGC(JSGCInvocationKind, JS::gcreason::Reason, long) src/js/src/jsgc.cpp:6839:5 #24 0x7f3e7c1692ae in js::gc::GCRuntime::gcIfRequested() src/js/src/jsgc.cpp:7037:13 #25 0x7f3e7c65390a in InvokeInterruptCallback src/js/src/vm/Runtime.cpp:506:23 #26 0x7f3e7c65390a in JSContext::handleInterrupt() src/js/src/vm/Runtime.cpp:598 #27 0x7f3e7b6fd750 in CheckForInterrupt src/js/src/jscntxtinlines.h:413:20 #28 0x7f3e7b6fd750 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2450 #29 0x7f3e7b6df108 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:410:12 #30 0x7f3e7b710258 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:488:15 #31 0x7f3e7b710a82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:534:10 #32 0x7f3e7c071afb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2948:12 #33 0x7f3e74c88a67 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8 #34 0x7f3e755d3bbf in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12 #35 0x7f3e755d3bbf in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1139 #36 0x7f3e755d5ad2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1314:20 #37 0x7f3e755b5c31 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:464:16 #38 0x7f3e755b9102 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:824:9 #39 0x7f3e7558851a in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp:893:12 #40 0x7f3e738c60d1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/dom/base/nsINode.cpp:1343:5 #41 0x7f3e733fd6da in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString const&, bool, bool, bool, bool*, bool) src/dom/base/nsContentUtils.cpp:4396:18 #42 0x7f3e733fd49b in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString const&, bool, bool, bool*) src/dom/base/nsContentUtils.cpp:4364:10 #43 0x7f3e737dcb50 in nsDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5273:3 #44 0x7f3e7389fb42 in applyImpl<nsDocument, void (nsDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1138:12 #45 0x7f3e7389fb42 in apply<nsDocument, void (nsDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1144 #46 0x7f3e7389fb42 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1187 #47 0x7f3e70c643e8 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1422:14 #48 0x7f3e70c6a538 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:474:10 #49 0x7f3e71a2cca1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #50 0x7f3e71989820 in RunInternal src/ipc/chromium/src/base/message_loop.cc:320:10 #51 0x7f3e71989820 in RunHandler src/ipc/chromium/src/base/message_loop.cc:313 #52 0x7f3e71989820 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:293 #53 0x7f3e7701acef in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:156:27 #54 0x7f3e7b073d91 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:287:30 #55 0x7f3e7b2425d4 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4590:22 #56 0x7f3e7b244140 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4773:8 #57 0x7f3e7b245491 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4868:21 #58 0x4eb613 in do_main src/browser/app/nsBrowserApp.cpp:237:22 #59 0x4eb613 in main src/browser/app/nsBrowserApp.cpp:310 #60 0x7f3e8d2c482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #61 0x41d168 in _start (firefox+0x41d168) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow src/dom/base/nsINode.h:1589:12 in GetBoolFlag Shadow bytes around the buggy address: 0x0c1880095330: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c1880095340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1880095350: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c1880095360: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c1880095370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c1880095380: fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa 0x0c1880095390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c18800953a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c18800953b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c18800953c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c18800953d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
Reporter | ||
Comment 1•7 years ago
|
||
Found on m-c 20170627-8f80d594c08d
Comment 2•7 years ago
|
||
Did you encounter this again? Why do you think this is a11y related?
Flags: needinfo?(twsmith)
Reporter | ||
Comment 3•7 years ago
|
||
Hmm, not sure why I did that, I'm going to assume I just had a11y on my mind (likely reducing another test case at the same time). Sorry about that.
Component: Disability Access APIs → DOM
Flags: needinfo?(twsmith)
Comment 4•7 years ago
|
||
Catalin, you've been looking at this area of code recently; can you take a look? This may be RTL-related?
Flags: needinfo?(catalin.badea392)
Comment 5•7 years ago
|
||
Tyson, can you still reproduce this? Comment 1 talks about build before bug 1346590 landed.
Flags: needinfo?(twsmith)
Reporter | ||
Comment 6•7 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #5) > Tyson, can you still reproduce this? Comment 1 talks about build before bug > 1346590 landed. No I cannot repro, I will keep an eye open for new test cases. Please mark this as a dup if that is appropriate.
Flags: needinfo?(twsmith)
Comment 7•7 years ago
|
||
Reopen (or file a new bug) if this recurs.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Updated•7 years ago
|
Flags: needinfo?(catalin.badea392)
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
Updated•5 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•