Bug 1130541 (CVE-2015-0831)

Heap use-after-free in mozilla::dom::IndexedDB::IDBObjectStore::CreateIndex

VERIFIED FIXED in Firefox 36, Firefox OS v1.4

Status

()

Core
DOM: IndexedDB
VERIFIED FIXED
3 years ago
a year ago

People

(Reporter: Paul, Assigned: Ben Turner (not reading bugmail, use the needinfo flag!))

Tracking

({csectype-uaf, sec-critical})

Trunk
mozilla38
x86_64
Windows 7
csectype-uaf, sec-critical
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox35 wontfix, firefox36+ verified, firefox37+ verified, firefox38+ verified, firefox-esr3136+ verified, b2g-v1.4 fixed, b2g-v2.0 fixed, b2g-v2.0M fixed, b2g-v2.1 fixed, b2g-v2.1S fixed, b2g-v2.2 fixed, b2g-master fixed)

Details

(Whiteboard: [adv-main36+][adv-esr31.5+])

Attachments

(4 attachments)

(Reporter)

Description

3 years ago
Created attachment 8560617 [details]
test5.html

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Steps to reproduce:

Open the attached html file in Firefox. It crashes with latest asan and also crashes on latest regular Nightly for me on Windows and Linux.

This is the stacktrace I get with latest build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/

==2401==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000274108 at pc 0x7fcdabfee8db bp 0x7fffac242540 sp 0x7fffac242538
READ of size 8 at 0x606000274108 thread T0 (Web Content)
    #0 0x7fcdabfee8da in Assign /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundIDBSharedTypes.cpp:519
    #1 0x7fcdaff05f7e in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/dom/indexedDB/PBackgroundIDBSharedTypes.h:807
    #2 0x7fcdaff26d58 in NoteDeletion /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:2074
    #3 0x7fcdaff21893 in CreateIndexInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1760
    #4 0x7fcdaff20fad in CreateIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1682
    #5 0x7fcdae49e431 in createIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./IDBObjectStoreBinding.cpp:667
    #6 0x7fcdaf0c1643 in GenericBindingMethod /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2522
    #7 0x7fcdb3f5d270 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:226
    #8 0x7fcdb3f9a00e in Interpret /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2558
    #9 0x7fcdb3f7dc89 in RunScript /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:448
    #10 0x7fcdb3f5d82a in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:517
    #11 0x7fcdb3fa820e in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:554
    #12 0x7fcdb3bbc99f in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4474
    #13 0x7fcdae02ee05 in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./EventHandlerBinding.cpp:259
    #14 0x7fcdaf3ca0d1 in Call<nsISupports *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/events/../../dist/include/mozilla/dom/EventHandlerBinding.h:350
    #15 0x7fcdaf3c83c2 in HandleEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/JSEventHandler.cpp:214
    #16 0x7fcdaf38beaf in HandleEventSubType /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:976
    #17 0x7fcdaf38dedf in HandleEventInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1124
    #18 0x7fcdaf37d781 in HandleEventTargetChain /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:299
    #19 0x7fcdaf381a06 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:633
    #20 0x7fcdaf342655 in DispatchDOMEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:697
    #21 0x7fcdaf35d7d9 in DispatchEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/DOMEventTargetHelper.cpp:251
    #22 0x7fcdafeced58 in DispatchSuccessEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:751
    #23 0x7fcdafed1f39 in RecvPBackgroundIDBVersionChangeTransactionConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:1406
    #24 0x7fcdabfbe66d in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundIDBDatabaseChild.cpp:560
    #25 0x7fcdabf9839c in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:761
    #26 0x7fcdabf2a941 in DispatchAsyncMessage /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1231
    #27 0x7fcdabf201b5 in OnMaybeDequeueOne /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1142
    #28 0x7fcdabede3e4 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:361
    #29 0x7fcdabedf497 in DoWork /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:447
    #30 0x7fcdabf325c2 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:233
    #31 0x7fcdab69d364 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #32 0x7fcdab6fd51a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #33 0x7fcdabf31d29 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #34 0x7fcdabedcf6c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #35 0x7fcdb04f6367 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #36 0x7fcdb206a732 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #37 0x7fcdabedcf6c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #38 0x7fcdb2069d14 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #39 0x48a9f1 in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211
    #40 0x7fcda92a9d54 in __libc_start_main ??:?
    #41 0x489dcc in _start ??:?

0x606000274108 is located 8 bytes inside of 56-byte region [0x606000274100,0x606000274138)
freed by thread T0 (Web Content) here:
    #0 0x47265b in __interceptor_realloc _asan_rtl_
    #1 0x7fcdb7bf2a8d in moz_xrealloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:84
    #2 0x7fcdab51d6cf in Realloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/toolkit/mozapps/extensions/../../../dist/include/nsTArray.h:184
    #3 0x7fcdaff22642 in AppendElement<mozilla::dom::indexedDB::IndexMetadata> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/indexedDB/../../dist/include/nsTArray.h:1330
    #4 0x7fcdaff2183e in CreateIndexInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1750
    #5 0x7fcdaff20fad in CreateIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1682
    #6 0x7fcdae49e431 in createIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./IDBObjectStoreBinding.cpp:667
    #7 0x7fcdaf0c1643 in GenericBindingMethod /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2522
    #8 0x7fcdb3f5d270 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:226
    #9 0x7fcdb3f9a00e in Interpret /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2558
    #10 0x7fcdb3f7dc89 in RunScript /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:448
    #11 0x7fcdb3f5d82a in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:517
    #12 0x7fcdb3fa820e in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:554
    #13 0x7fcdb3bbc99f in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4474
    #14 0x7fcdae02ee05 in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./EventHandlerBinding.cpp:259
    #15 0x7fcdaf3ca0d1 in Call<nsISupports *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/events/../../dist/include/mozilla/dom/EventHandlerBinding.h:350
    #16 0x7fcdaf3c83c2 in HandleEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/JSEventHandler.cpp:214
    #17 0x7fcdaf38beaf in HandleEventSubType /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:976
    #18 0x7fcdaf38dedf in HandleEventInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1124
    #19 0x7fcdaf37d781 in HandleEventTargetChain /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:299
    #20 0x7fcdaf381a06 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:633
    #21 0x7fcdaf342655 in DispatchDOMEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:697
    #22 0x7fcdaf35d7d9 in DispatchEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/DOMEventTargetHelper.cpp:251
    #23 0x7fcdafeced58 in DispatchSuccessEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:751
    #24 0x7fcdafed1f39 in RecvPBackgroundIDBVersionChangeTransactionConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:1406
    #25 0x7fcdabfbe66d in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundIDBDatabaseChild.cpp:560
    #26 0x7fcdabf9839c in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:761
    #27 0x7fcdabf2a941 in DispatchAsyncMessage /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1231
    #28 0x7fcdabf201b5 in OnMaybeDequeueOne /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1142
    #29 0x7fcdabede3e4 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:361

previously allocated by thread T0 (Web Content) here:
    #0 0x4723e1 in __interceptor_malloc _asan_rtl_
    #1 0x7fcdb7bf27dd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:52
    #2 0x7fcdab51d5f3 in Malloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/toolkit/mozapps/extensions/../../../dist/include/nsTArray.h:181
    #3 0x7fcdaff22642 in AppendElement<mozilla::dom::indexedDB::IndexMetadata> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/indexedDB/../../dist/include/nsTArray.h:1330
    #4 0x7fcdaff2183e in CreateIndexInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1750
    #5 0x7fcdaff20fad in CreateIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1682
    #6 0x7fcdae49e431 in createIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./IDBObjectStoreBinding.cpp:667
    #7 0x7fcdaf0c1643 in GenericBindingMethod /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2522
    #8 0x7fcdb3f5d270 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:226
    #9 0x7fcdb3f9a00e in Interpret /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2558
    #10 0x7fcdb3f7dc89 in RunScript /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:448
    #11 0x7fcdb3f5d82a in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:517
    #12 0x7fcdb3fa820e in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:554
    #13 0x7fcdb3bbc99f in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4474
    #14 0x7fcdae02ee05 in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./EventHandlerBinding.cpp:259
    #15 0x7fcdaf3ca0d1 in Call<nsISupports *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/events/../../dist/include/mozilla/dom/EventHandlerBinding.h:350
    #16 0x7fcdaf3c83c2 in HandleEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/JSEventHandler.cpp:214
    #17 0x7fcdaf38beaf in HandleEventSubType /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:976
    #18 0x7fcdaf38dedf in HandleEventInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1124
    #19 0x7fcdaf37d781 in HandleEventTargetChain /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:299
    #20 0x7fcdaf381a06 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:633
    #21 0x7fcdaf342655 in DispatchDOMEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:697
    #22 0x7fcdaf35d7d9 in DispatchEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/DOMEventTargetHelper.cpp:251
    #23 0x7fcdafeced58 in DispatchSuccessEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:751
    #24 0x7fcdafed1f39 in RecvPBackgroundIDBVersionChangeTransactionConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:1406
    #25 0x7fcdabfbe66d in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundIDBDatabaseChild.cpp:560
    #26 0x7fcdabf9839c in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:761
    #27 0x7fcdabf2a941 in DispatchAsyncMessage /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1231
    #28 0x7fcdabf201b5 in OnMaybeDequeueOne /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1142
    #29 0x7fcdabede3e4 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:361

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c0c800467d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800467e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800467f0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c0c80046800: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80046810: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0c80046820: fd[fd]fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c80046830: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c80046840: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c80046850: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c80046860: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c80046870: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       ==2401==ABORTING

p.s. Please let me know if something's wrong it's my first time with open source


Actual results:

It crashes


Expected results:

It should create index

Updated

3 years ago
Component: Untriaged → DOM: IndexedDB
Product: Firefox → Core
Assignee: nobody → bent.mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Created attachment 8560657 [details] [diff] [review]
changes.patch

Yikes, this is dumb!
Attachment #8560657 - Flags: review?(Jan.Varga)
Keywords: csectype-uaf, sec-critical

Updated

3 years ago
Attachment #8560657 - Flags: review?(Jan.Varga) → review+
Comment on attachment 8560657 [details] [diff] [review]
changes.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Which older supported branches are affected by this flaw? The specific crash here was introduced in bug 994190. However, previous versions would have probably crashed in some other way. The general problem probably goes back all the way to the first version of IndexedDB...

If not all supported branches, which bug introduced the flaw? All supported branches

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? A separate patch would be required for esr31, but it's basically identical.

How likely is this patch to cause regressions; how much testing does it need? It's very safe.
Attachment #8560657 - Flags: sec-approval?
[Security approval request comment]
How easily could an exploit be constructed based on the patch? Easily

Do comments in the patch, the check-in comment, or tests included in the
patch paint a bulls-eye on the security problem? Yes
We're going to want this on Aurora, Beta, and ESR31. 

Sec-approval+ for trunk and I will approve it for Beta and Aurora.
Comment on attachment 8560657 [details] [diff] [review]
changes.patch

[Triage Comment]
Attachment #8560657 - Flags: sec-approval?
Attachment #8560657 - Flags: sec-approval+
Attachment #8560657 - Flags: approval-mozilla-beta+
Attachment #8560657 - Flags: approval-mozilla-aurora+
status-firefox35: --- → wontfix
status-firefox36: --- → affected
status-firefox37: --- → affected
status-firefox38: --- → affected
status-firefox-esr31: --- → affected
tracking-firefox36: --- → +
tracking-firefox37: --- → +
tracking-firefox38: --- → +
tracking-firefox-esr31: --- → 36+
Flags: sec-bounty?
https://hg.mozilla.org/mozilla-central/rev/2565e56e117c
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox38: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
https://hg.mozilla.org/releases/mozilla-aurora/rev/6c0b609839b1
https://hg.mozilla.org/releases/mozilla-beta/rev/cb5d2bbf9234
status-b2g-v1.4: --- → affected
status-b2g-v2.0: --- → affected
status-b2g-v2.0M: --- → affected
status-b2g-v2.1: --- → affected
status-b2g-v2.1S: --- → affected
status-b2g-v2.2: --- → affected
status-b2g-master: --- → fixed
status-firefox36: affected → fixed
status-firefox37: affected → fixed
Comment on attachment 8560657 [details] [diff] [review]
changes.patch

Taking it for esr since it seems affected.
Attachment #8560657 - Flags: approval-mozilla-esr31+
Flags: sec-bounty? → sec-bounty+
Created attachment 8561687 [details] [diff] [review]
changes.patch

Test fix for esr31
Landed the test fix on esr31.

Ryan, I'm unsure whether this needs to go onto the b2g branches as it's a test-only fix for a test suite that doesn't get run on those trees. I'll leave that call to you.
Flags: needinfo?(ryanvm)
I don't think we need to, but thanks for checking!
Flags: needinfo?(ryanvm)
Reproduced the issue using the POC from comment #0 using the following build:
- https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1423184190/

Went through verification using the following builds:

fx 38:
* Build: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1424257348/

fx 37:
* Build: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1424276351/

fx 36:
* Build: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-beta-linux64-asan/1424276528/

fx 31.5.0
* Build: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-esr31-linux64/1424276997/

Test Cases Used:

* Opened the POC from comment #0 several times without any issues in regular tabs/windows
* Opened the POC from comment #0 several times without any issues in private tabs/windows
Status: RESOLVED → VERIFIED
status-firefox36: fixed → verified
status-firefox37: fixed → verified
status-firefox38: fixed → verified
status-firefox-esr31: fixed → verified
Whiteboard: [adv-main36+][adv-esr31.5+]
Alias: CVE-2015-0831

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.