Closed
Bug 1009160
Opened 11 years ago
Closed 11 years ago
Use-after free on sandbox attribute
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
mozilla32
| Tracking | Status | |
|---|---|---|
| firefox31 | --- | unaffected |
| firefox32 | --- | verified |
| firefox-esr24 | --- | unaffected |
People
(Reporter: nils, Assigned: smaug)
References
Details
(4 keywords)
Attachments
(3 files)
The attached testcase crashes the latest firefox asan build. ASAN output in asan.txt.
|
Assignee | |
Updated•11 years ago
|
Component: DOM → Document Navigation
|
||
Updated•11 years ago
|
Keywords: csectype-uaf,
sec-critical
|
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → bugs
Forgot to add, the testcase requires Jesse's extensions: https://www.squarefree.com/extensions/domFuzzLite3.xpi
|
|
Assignee | |
Comment 4•11 years ago
|
||
The crash fix is
-already_AddRefed<nsDOMSettableTokenList>
+nsDOMSettableTokenList*
and we have also possibly leak because sandbox isn't traversed, so the
same properties are now handled with svg as with html.
There is some redundancy there, but shouldn't be too bad.
Attachment #8422740 -
Flags: review?(bzbarsky)
|
||
Comment 5•11 years ago
|
||
Comment on attachment 8422740 [details] [diff] [review]
patch
Ouch. I thought we'd disallowed that, but looks like gcc 4.4 prevented us from doing that. Curses!
Attachment #8422740 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 6•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox29:
--- → ?
status-firefox30:
--- → ?
status-firefox31:
--- → ?
status-firefox32:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
|
||
Comment 8•11 years ago
|
||
I assume that this was trunk only since it went in without sec-approval+. Is that correct?
Flags: needinfo?(bugs)
|
|
||
Updated•11 years ago
|
|
|
||
Comment 10•11 years ago
|
||
Confirmed crash in ASan Fx32, 2014-05-15.
Verified fixed in ASan Fx32, 2014-08-20.
Status: RESOLVED → VERIFIED
|
||
Comment 11•11 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #9)
> yes, trunk only.
If the cause of the crash was as described in comment 4, the old code landed in Firefox 30 and would have been "Beta" at the time of comment 9. Were there other changes that made that matter? Have we verified that ESR31 is unaffected as claimed?
Needinfo for smaug and mwobensmith.
Flags: needinfo?(mwobensmith)
Flags: needinfo?(bugs)
|
|
Assignee | |
Comment 12•11 years ago
|
||
http://mxr.mozilla.org/mozilla-esr31/search?string=SVGIFrameElement%3A%3ASandbox doesn't give any results.
And https://bugzilla.mozilla.org/show_bug.cgi?id=949435#c104 should have happened for
FF32.
Flags: needinfo?(bugs)
|
|
Assignee | |
Comment 13•11 years ago
|
||
Don't know where you get FF30? Perhaps from the mercurial showing odd dates for the changesets. It is really good at that.
|
|
||
Updated•10 years ago
|
Flags: sec-bounty?
|
|
||
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•10 years ago
|
Group: core-security
Keywords: regression
|
||
Updated•7 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•5 years ago
|
Flags: sec-bounty-hof+
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•