Closed
Bug 1506157
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: use-after-poison [@ Type] with READ of size 1
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox63 | --- | unaffected |
firefox64 | --- | unaffected |
firefox65 | - | disabled |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(5 keywords)
Attachments
(1 file)
389 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 5e7636ec12c5. I'm currently reducing the testcase and will update once complete. ==19123==ERROR: AddressSanitizer: use-after-poison on address 0x6250002158fd at pc 0x7fa01a7c044b bp 0x7fff3ea08430 sp 0x7fff3ea08428 READ of size 1 at 0x6250002158fd thread T0 (file:// Content) #0 0x7fa01a7c044a in Type src/layout/generic/nsIFrame.h:2762:38 #1 0x7fa01a7c044a in IsColumnSetWrapperFrame src/obj-firefox/dist/include/mozilla/FrameTypeList.h:21 #2 0x7fa01a7c044a in GetMultiColumnContainingBlockFor src/layout/base/nsCSSFrameConstructor.cpp:618 #3 0x7fa01a7c044a in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:8773 #4 0x7fa01a7ba68a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7887:9 #5 0x7fa01a7ba31a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7871:11 #6 0x7fa01a7ba31a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7871:11 #7 0x7fa01a7a0012 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:9089:5 #8 0x7fa01a71e6ab in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1551:25 #9 0x7fa01a72fae3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3065:9 #10 0x7fa01a6ce875 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3142:3 #11 0x7fa01a6ce875 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4359 #12 0x7fa01a63c96e in FlushPendingNotifications src/layout/base/nsIPresShell.h:591:5 #13 0x7fa01a63c96e in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1907 #14 0x7fa01a6507c3 in TickDriver src/layout/base/nsRefreshDriver.cpp:326:13 #15 0x7fa01a6507c3 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:301 #16 0x7fa01a6501bc in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:319:5 #17 0x7fa01a65344f in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:760:5 #18 0x7fa01a65344f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:676 #19 0x7fa01a652d82 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:573:9 #20 0x7fa01b1636b8 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:76:16 #21 0x7fa011d30ef5 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #22 0x7fa011abc18d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28 #23 0x7fa0112a42c9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2244:25 #24 0x7fa01129fc4a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2171:17 #25 0x7fa0112a1e51 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2008:5 #26 0x7fa0112a2d17 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2041:15 #27 0x7fa010033b81 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1246:14 #28 0x7fa01003c92d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #29 0x7fa0112ad62f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #30 0x7fa0111a9aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #31 0x7fa0111a9aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #32 0x7fa0111a9aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #33 0x7fa019f71003 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #34 0x7fa01e840e3e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:954:22 #35 0x7fa0111a9aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #36 0x7fa0111a9aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #37 0x7fa0111a9aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #38 0x7fa01e83fe9b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:780:34 #39 0x55fb60507864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #40 0x55fb60507864 in main src/browser/app/nsBrowserApp.cpp:287 #41 0x7fa033017b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #42 0x55fb6042ceec in _start (/home/worker/firefox-asan/firefox+0x2deec) 0x6250002158fd is located 4093 bytes inside of 8192-byte region [0x625000214900,0x625000216900) allocated by thread T0 (file:// Content) here: #0 0x55fb604d4d93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3 #1 0x7fa00ffd0e30 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15 #2 0x7fa00ffc66a8 in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228:25 #3 0x7fa00ffc66a8 in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75 #4 0x7fa00ffc66a8 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80 #5 0x7fa01a970a7a in AllocateByFrameID src/layout/base/nsPresArena.h:39:12 #6 0x7fa01a970a7a in AllocateFrame src/layout/base/nsIPresShell.h:207 #7 0x7fa01a970a7a in operator new src/layout/generic/ViewportFrame.cpp:34 #8 0x7fa01a970a7a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) src/layout/generic/ViewportFrame.cpp:31 #9 0x7fa01a784013 in nsCSSFrameConstructor::ConstructRootFrame() src/layout/base/nsCSSFrameConstructor.cpp:2712:5 #10 0x7fa01a6aa0e2 in mozilla::PresShell::Initialize() src/layout/base/PresShell.cpp:1798:36 #11 0x7fa0141b7f71 in nsContentSink::StartLayout(bool) src/dom/base/nsContentSink.cpp:1276:26 #12 0x7fa012b34d22 in nsHtml5TreeOpExecutor::StartLayout(bool*) src/parser/html/nsHtml5TreeOpExecutor.cpp:677:18 #13 0x7fa012b3035b in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) src/parser/html/nsHtml5TreeOperation.cpp:1204:17 #14 0x7fa012b2d24a in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:493:17 #15 0x7fa012b3a36f in nsHtml5ExecutorReflusher::Run() src/parser/html/nsHtml5TreeOpExecutor.cpp:59:16 #16 0x7fa00fff6685 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32 #17 0x7fa010033b81 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1246:14 #18 0x7fa01003c92d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #19 0x7fa0112ad62f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #20 0x7fa0111a9aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #21 0x7fa0111a9aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #22 0x7fa0111a9aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #23 0x7fa019f71003 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #24 0x7fa01e840e3e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:954:22 #25 0x7fa0111a9aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #26 0x7fa0111a9aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #27 0x7fa0111a9aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #28 0x7fa01e83fe9b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:780:34 SUMMARY: AddressSanitizer: use-after-poison src/layout/generic/nsIFrame.h:2762:38 in Type Shadow bytes around the buggy address: 0x0c4a8003aac0: 00 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 0x0c4a8003aad0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a8003aae0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a8003aaf0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a8003ab00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x0c4a8003ab10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7] 0x0c4a8003ab20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a8003ab30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a8003ab40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a8003ab50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a8003ab60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==19123==ABORTING
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Updated•6 years ago
|
Flags: in-testsuite?
Keywords: testcase-wanted → testcase
Updated•6 years ago
|
Group: core-security → layout-core-security
Updated•6 years ago
|
status-firefox63:
--- → unaffected
status-firefox64:
--- → unaffected
status-firefox-esr60:
--- → unaffected
tracking-firefox65:
--- → +
Keywords: regression
Updated•6 years ago
|
Blocks: fuzzing-column-span
Updated•6 years ago
|
Priority: -- → P2
Updated•6 years ago
|
Flags: needinfo?(aethanyc)
Updated•6 years ago
|
Keywords: csectype-framepoisoning,
sec-low
Comment 3•6 years ago
|
||
I need some advice to reproduce this locally. I've downloaded the artifact AddressSanitizer debug build from [1], and run a command like "./firefox -layoutdebug -P asan 1506157.html" where the asan profile has "layout.css.column-span.enabled=true" However, I cannot reproduce this bug and many other AddressSanitizer ones blocking bug 1421105. Did I miss something? [1] https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer
Flags: needinfo?(twsmith)
Flags: needinfo?(jkratzer)
Comment 4•6 years ago
|
||
(In reply to Ting-Yu Lin [:TYLin] (UTC-8) from comment #3) > Did I miss something? I also can't reproduce the issue. My guess is that this was actually a dup of another bug. I know there were other similar memory corruption issues reported at the same time. Feel free to close it and I'll set layout.css.column-span.enabled=true in the fuzzers. We this hit issue frequently so if it's in there we should be able to find it again quickly.
Flags: needinfo?(twsmith)
Flags: needinfo?(aethanyc)
Comment 5•6 years ago
|
||
oops checked the wrong ni? box.
Flags: needinfo?(jkratzer) → needinfo?(aethanyc)
Comment 6•6 years ago
|
||
Tyson, Thanks for the prompt feedback. I'll test other bugs and close them if I cannot produce it by loading the test case to the Asan build. Meanwhile, I'm fixing known issues related to column-span in bug 1507244, bug 1506314, bug 1507196, etc. We might be better to enable layout.css.column-span.enabled in the fuzzers after they're landed to avoid dup issues. I'll give you a signal in bug 1491723 when it's ready.
Flags: needinfo?(aethanyc) → needinfo?(twsmith)
Comment 8•6 years ago
|
||
Tested on Asan Nightly 2018-12-18. Close this because it is no longer reproducible per comment 3 and comment 4.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Updated•5 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•