Closed Bug 750820 (CVE-2012-1958) Opened 12 years ago Closed 12 years ago

Use-after-free in nsGlobalWindow::PageHidden

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
14 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla16
Tracking Flags:
Tracking Status
firefox13 --- wontfix
firefox14 + fixed
firefox15 + fixed
firefox16 + fixed
firefox-esr10 14+ fixed

People

(Reporter: ax330d, Assigned: mccr8)

Details

(Keywords: csectype-uaf, sec-moderate, Whiteboard: [asan][qa-][advisory-tracking+])

Attachments

(2 files)

ASan log
12.61 KB, text/plain
Details
nsCOMPtrs are your friend
1.18 KB, patch
bzbarsky
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
lsblakk
: approval-mozilla-esr10+
Details | Diff | Splinter Review
Attached file ASan log — 
Heap-use-after-free caught on Firefox 14.0a1, ASan log attached. Unfortunately no PoC at the moment - will try to catch it again.
Comment on attachment 619997 [details]
ASan log

Seems curious that this code address in the first stack:
>    #1 0x7f67ec1439c9 in nsGlobalWindow::PageHidden() /srv/repos/browser/mozilla-central/dom/base/nsGlobalWindow.cpp:7937
and this code address in the second stack:
>    #3 0x7f67ec1439c9 in nsGlobalWindow::PageHidden() /srv/repos/browser/mozilla-central/dom/base/nsGlobalWindow.cpp:7937
are exactly the same despite appearing to call different functions.
Component: Untriaged → DOM
Product: Firefox → Core
QA Contact: untriaged → general
I'd like to see a test case.  These stacks don't make much sense.
This sort of makes sense, if you assume that nsFocusManager::WindowHidden got inlined into nsGlobalWindow::PageHidden by PGO without updating debugging symbols accordingly or some such pernicious compiler behavior.

In particular, nsFocusManager::WindowHidden has this code:

957   nsIContent* oldFocusedContent = mFocusedContent;
958   mFocusedContent = nsnull;

mFocusedContent is an nsCOMPtr.  oldFocusedContent probably should be too, in case we're holding the last ref to the content (though how _that_ can be happening is not clear to me).
Keywords: testcase-wanted
Whiteboard: [asan]
We can't move this forward or rate this without a testcase. Arthur, can you supply one or we'll need to close this as incomplete.
Comment 3 contains an actionable suggestion, even without a test case.
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #5)
> Comment 3 contains an actionable suggestion, even without a test case.

All right. Who can we assign this to? Since it is a security bug, it is going to be hidden from most people.
I can implement Comment 3.  Looks simple enough.
Assignee: nobody → continuation
Attached patch nsCOMPtrs are your friend — — Splinter Review 
The code bz pointed out (that is fixed here) goes back at least to ESR10.  Hard to know if that is all that is needed to cause the problem from comment 0.
Comment on attachment 625285 [details] [diff] [review]
nsCOMPtrs are your friend

Try run looked fine.
Attachment #625285 - Flags: review?(bzbarsky)
This looks like an sg:crit, though the mystery of how to trigger the second condition remains.
Comment on attachment 625285 [details] [diff] [review]
nsCOMPtrs are your friend

r=me
Attachment #625285 - Flags: review?(bzbarsky) → review+
Given how late it is in the cycle, I suppose it makes sense to wait until the middle of the next one, then land everywhere...
marking sec-critical due to it being a use-after-free.
Keywords: sec-critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Should be OK to land now, although it's a potentially attention-grabbing simple patch it's not directly obvious how to get from here to how to trigger it. Make sure it does land everywhere this cycle, though.
status-firefox-esr10: --- → affected
status-firefox13: --- → wontfix
status-firefox14: --- → affected
status-firefox15: --- → affected
status-firefox16: --- → affected
tracking-firefox-esr10: --- → 14+
tracking-firefox14: --- → +
tracking-firefox15: --- → +
tracking-firefox16: --- → +
https://hg.mozilla.org/integration/mozilla-inbound/rev/1d8494a681e3
OS: Linux → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla16
https://hg.mozilla.org/mozilla-central/rev/1d8494a681e3
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox16: affectedfixed
Resolution: --- → FIXED
I expect that the fix will not be verified since no one can trigger the original problem on demand.
At least in build cf4face65451 I don't see it crashing anymore with this ASan stacktrace.
Prior to the patch did the stacktrace come up often enough to make comment 19 reliable evidence that we fixed the bug you reported?
It wasn't crashing often, also, as far as I remember, I haven't seen these stacktrace on something later than 14 branch. Just to avoid confusion: with "At least" I meant that this bug is most likely fixed.
Comment on attachment 625285 [details] [diff] [review]
nsCOMPtrs are your friend

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: sg:crit
User impact if declined: possible crashes, sg:crit
Fix Landed on Version: 16
Risk to taking this patch (and alternatives if risky): low, this just makes an object stay alive a little longer in some cases
String or UUID changes made by this patch: none

[Approval Request Comment]
Bug caused by (feature/regressing bug #): It has been in a while.
Testing completed (on m-c, etc.): It has been on m-c for a few days.
Attachment #625285 - Flags: approval-mozilla-esr10?
Attachment #625285 - Flags: approval-mozilla-beta?
Attachment #625285 - Flags: approval-mozilla-aurora?
Comment on attachment 625285 [details] [diff] [review]
nsCOMPtrs are your friend

Given that we're in the middle of this release cycle and Dan's comment 14, approving to land everywhere.
Attachment #625285 - Flags: approval-mozilla-esr10?
Attachment #625285 - Flags: approval-mozilla-esr10+
Attachment #625285 - Flags: approval-mozilla-beta?
Attachment #625285 - Flags: approval-mozilla-beta+
Attachment #625285 - Flags: approval-mozilla-aurora?
Attachment #625285 - Flags: approval-mozilla-aurora+
qa- for verification as no one has been able to reliably reproduce this bug. Arthur, if you do get a PoC working, can you please help us verify the fix by testing the latest builds? Thanks.
Whiteboard: [asan] → [asan][qa-]
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #26)
> qa- for verification as no one has been able to reliably reproduce this bug.
> Arthur, if you do get a PoC working, can you please help us verify the fix
> by testing the latest builds? Thanks.
Sure.
Hi Arthur,  how did the testing go?
(In reply to chris hofmann from comment #28)
> Hi Arthur,  how did the testing go?

Hi Chris. Unfortunately I still have no test-case to verify patch, but I also haven't seen any similar stacktrace in new builds while fuzzing. Anyhow, if I get the test-case, I will check it.
Arthur: we're leaning against awarding this a bounty because it seems extremely unlikely an attacker could cause a reallocation of anything useful where oldFocusedContent points between when mFocusedContent might be released and when oldFocusedContent is used in the same function. Do you have any arguments as to what might make this a plausible vector?
In current situation without being able to reproduce the bug, I can't provide any additional information.
Whiteboard: [asan][qa-] → [asan][qa-][advisory-tracking+]
Alias: CVE-2012-1958
modifying severity based on comment 30
Keywords: sec-criticalsec-moderate
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: