Closed
Bug 574059
(CVE-2010-2752)
Opened 14 years ago
Closed 14 years ago
nsCSSValue::Array index integer overflow (can lead to remote code execution via CSS font-face) (ZDI-CAN-831)
Categories
(Core :: CSS Parsing and Computation, defect, P1)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla2.0b1
People
(Reporter: reed, Assigned: dbaron)
References
Details
(Keywords: verified1.9.1, verified1.9.2, Whiteboard: [sg:critical?])
Attachments
(3 files)
5.23 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
4.02 KB,
patch
|
christian
:
approval1.9.2.7+
|
Details | Diff | Splinter Review |
3.94 KB,
patch
|
christian
:
approval1.9.1.11+
|
Details | Diff | Splinter Review |
ZDI-CAN-831: Mozilla Firefox CSS font-face Remote Code Execution Vulnerability -- ABSTRACT ------------------------------------------------------------ TippingPoint has identified a vulnerability affecting the following products: Mozilla Firefox 3.6.x -- VULNERABILITY DETAILS ----------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within handling of references to external font resources. A value is used as a 16 bit integer in an array allocation and later as 32 bit when iterating over and then populating these fields. By creating enough references, a remote attacker can exploit this vulnerability to execute arbitrary code under the context of the browser. Version(s) tested: 00400000 004e0000 firefox (deferred) Image path: C:\Program Files\Mozilla Firefox\firefox.exe Image name: firefox.exe Timestamp: Thu Apr 01 10:38:42 2010 (4BB4BE02) CheckSum: 000EA924 ImageSize: 000E0000 File version: 1.9.2.3743 Product version: 3.6.3.0 Platform(s) tested: Windows XP SP3 x86 http://mxr.mozilla.org/mozilla1.9.2/source/layout/style/nsCSSParser.cpp#7893 // alloc: 7892 nsRefPtr<nsCSSValue::Array> srcVals 7893 = nsCSSValue::Array::Create(values.Length()); // overflow: 7899 PRUint32 i; 7900 for (i = 0; i < values.Length(); i++) 7901 srcVals->Item(i) = values[i]; -- CREDIT -------------------------------------------------------------- This vulnerability was discovered by: * J23 (http://twitter.com/HansJ23)
Updated•14 years ago
|
Component: Layout → Style System (CSS)
QA Contact: layout → style-system
Reporter | ||
Comment 1•14 years ago
|
||
bp-ba8f7c42-2b7b-4389-8e5d-2cb772100623 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a6pre) Gecko/20100623 Minefield/3.7a6pre
Assignee | ||
Comment 2•14 years ago
|
||
We should probably just change nsCSSValue::Array to PRUint32. It was originally intended for only fixed-size things, but now it's being used for three things of author-controlled size: 'src' and 'unicode-range' inside @font-face, and min()/max() inside -moz-calc().
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → dbaron
Assignee | ||
Comment 3•14 years ago
|
||
This switches to size_t, which I think is the right thing to use for things like this (and we should tend to switch). It might be larger than PRUint32, but it shouldn't be smaller on any platforms we support, and I think a mismatch that way around is ok.
Attachment #453462 -
Flags: review?(bzbarsky)
Comment 4•14 years ago
|
||
Comment on attachment 453462 [details] [diff] [review] patch Why does size_t make sense for the refcount?
Assignee | ||
Comment 5•14 years ago
|
||
The size of the address space limits the number of objects that could own a reference to something.
Comment 6•14 years ago
|
||
Comment on attachment 453462 [details] [diff] [review] patch OK, I buy that. We should consider using size_t for refcounts in general, then, and use the macros here. Separate bug?
Attachment #453462 -
Flags: review?(bzbarsky) → review+
Updated•14 years ago
|
Summary: CSS font-face Remote Code Execution Vulnerability (ZDI-CAN-831) → nsCSSValue::Array refcnt overflow (can lead to remote code execution via CSS font-face) (ZDI-CAN-831)
Assignee | ||
Updated•14 years ago
|
Summary: nsCSSValue::Array refcnt overflow (can lead to remote code execution via CSS font-face) (ZDI-CAN-831) → nsCSSValue::Array index integer overflow (can lead to remote code execution via CSS font-face) (ZDI-CAN-831)
Assignee | ||
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/pushloghtml
Status: NEW → RESOLVED
Closed: 14 years ago
Priority: -- → P1
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a6
Assignee | ||
Updated•14 years ago
|
Attachment #453462 -
Flags: approval1.9.2.6?
Updated•14 years ago
|
Reporter | ||
Comment 8•14 years ago
|
||
(In reply to comment #7) > http://hg.mozilla.org/mozilla-central/pushloghtml http://hg.mozilla.org/mozilla-central/rev/800ef4b6087f, actually. Does this also affect 1.9.1?
Assignee | ||
Comment 9•14 years ago
|
||
With one chunk (the calc()-related one) removed, since calc() isn't on 1.9.2, plus some trivial merging.
Attachment #453897 -
Flags: approval1.9.2.6?
Assignee | ||
Comment 10•14 years ago
|
||
Just the 1.9.2 patch with some trivial (i.e., context) merging.
Assignee | ||
Updated•14 years ago
|
Attachment #453462 -
Flags: approval1.9.2.6?
Assignee | ||
Updated•14 years ago
|
Attachment #453898 -
Flags: approval1.9.1.11?
Attachment #453897 -
Flags: approval1.9.2.6? → approval1.9.2.6+
Attachment #453898 -
Flags: approval1.9.1.11? → approval1.9.1.11+
Comment 11•14 years ago
|
||
a=LegNeato for 1.9.2.6 and 1.9.1.11. Please land this on mozilla-1.9.2 default and mozilla-1.9.1 default (*not* any relbranches). The code freeze for both releases is this Friday (tomorrow) @ 11:59 PST.
Assignee | ||
Comment 12•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/0a8009ec6714 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/2c38a62daa0a
Assignee | ||
Updated•14 years ago
|
Updated•14 years ago
|
Alias: CVE-2010-2752
Comment 13•14 years ago
|
||
Verified for 1.9.2.7 using PoC with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 (.NET CLR 3.5.30729). Verified crash with 1.9.2.6. Verified for 1.9.1.11 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.11) Gecko/20100701 Firefox/3.5.11 (.NET CLR 3.5.30729) as well. Crashes in 1.9.1.10.
Keywords: verified1.9.1,
verified1.9.2
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•