Closed Bug 750109 (CVE-2012-1946) Opened 12 years ago Closed 12 years ago

Use-after-free in nsINode::ReplaceOrInsertBefore

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
12 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox12 --- wontfix
firefox13 + fixed
firefox14 + fixed
firefox15 + fixed
firefox-esr10 --- unaffected

People

(Reporter: ax330d, Assigned: smaug)

References

Details

(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [asan][sg:critical][advisory-tracking+])

Attachments

(3 files)

PoC triggering the crash.
327 bytes, text/html
Details
ASan log
5.74 KB, text/plain
Details
patch
1.36 KB, patch
hsivonen
: review+
sicking
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review 
Use-after-free is triggered during replacing/inserting node in document. 

Crashes on:
  - 14.0a1 (Ubuntu 11.11, Linux x86-64), 
  - 15.0a1 (Windows 7, x86-64), 
  - 12.0 (Windows XP SP3).
Does not crash on 10.0.2.

Attached test-case is a bit flaky, but it will crash browser after 2-5 reloads. ASan log is from version 14.0a1.
Attached file ASan log 
Component: General → DOM
Product: Firefox → Core
QA Contact: general → general
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → bugs

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

        Attachment #619439 -
        Flags: review?

        Attachment #619439 -
        Flags: review? → review?(hsivonen)
Whiteboard: [asan]

    
    

    
  
Does not crash on 10.0.x because outerHTML wasn't implemented until Firefox 11.
Blocks: 92264

          status-firefox-esr10:
          --- → unaffected

          status-firefox12:
          --- → wontfix

          status-firefox13:
          --- → affected

          status-firefox14:
          --- → affected

          status-firefox15:
          --- → affected

          tracking-firefox12:
          ? → ---

          tracking-firefox13:
          ?+

          tracking-firefox14:
          ?+

          tracking-firefox15:
          ?+
Keywords: regression

        Attachment #619439 -
        Flags: review?(hsivonen) → review+

    
    

    
  
Is this an exploitable crash?

    
    

    
  
I believe so

        Attachment #619433 -
        Attachment mime type: text/plain → text/html
Keywords: sec-critical
Whiteboard: [asan] → [asan][sg:critical]

    
    

    
  
Anything preventing this from being checked in?

The patch is very safe so I guess we might want to wait with pushing to all branches until the late in the cycle?

    
    

    
  
Uh, I thought I had pushed this.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/6e9d62160729
No longer blocks: 92264
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 619439 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 92264
User impact if declined: crash
Testing completed (on m-c, etc.): just landed
Risk to taking this patch (and alternatives if risky): Should be super-safe
String or UUID changes made by this patch: NA

        Attachment #619439 -
        Flags: approval-mozilla-beta?

        Attachment #619439 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 619439 [details] [diff] [review]
patch

[Triage Comment]
Please land as soon as possible to make the 5/22 beta 5 go to build. Thanks!

        Attachment #619439 -
        Flags: approval-mozilla-beta?

        Attachment #619439 -
        Flags: approval-mozilla-beta+

        Attachment #619439 -
        Flags: approval-mozilla-aurora?

        Attachment #619439 -
        Flags: approval-mozilla-aurora+
Whiteboard: [asan][sg:critical] → [asan][sg:critical][advisory-tracking+]

    
    

    
  
I just did an ASAN build on OS X 10.7 and had one from three days ago as well. Pre-fix, I see the bug. With the current builds, I do not. Marking verified for trunk.
Status: RESOLVED → VERIFIED
Alias: CVE-2012-1946
Group: core-security

    
    

    
  
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: