Closed
Bug 1188234
Opened 9 years ago
Closed 9 years ago
nsXULPrototypeElement::Deserialize doesn't bounds check when accessing aNodeInfos
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
FIXED
mozilla42
People
(Reporter: q1, Assigned: mccr8)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-bounds, csectype-uninitialized)
Attachments
(4 files)
1.02 KB,
patch
|
smaug
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
1.80 KB,
patch
|
smaug
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
1.14 KB,
patch
|
smaug
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
1.55 KB,
patch
|
smaug
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
I just saw https://bugzilla.mozilla.org/show_bug.cgi?id=1185593, with the suggestive crash frame: 0 xul.dll nsXULPrototypeElement::Deserialize(nsIObjectInputStream*, nsXULPrototypeDocument*, nsIURI*, nsTArray<nsRefPtr<mozilla::dom::NodeInfo> > const*) dom/xul/nsXULElement.cpp Which resolves to: nsresult nsXULPrototypeElement::Deserialize(nsIObjectInputStream* aStream, nsXULPrototypeDocument* aProtoDoc, nsIURI* aDocumentURI, const nsTArray<nsRefPtr<mozilla::dom::NodeInfo>> *aNodeInfos) { NS_PRECONDITION(aNodeInfos, "missing nodeinfo array"); // Read Node Info uint32_t number; nsresult rv = aStream->Read32(&number); > mNodeInfo = aNodeInfos->ElementAt(number); Is it really OK to read |number| from the stream and use it as an index into aNodeInfos without checking it?
Comment 1•9 years ago
|
||
It's a trusted stream... I don't see how this can be a security issue.
(In reply to Benjamin Smedberg [:bsmedberg] from comment #1) > It's a trusted stream... I don't see how this can be a security issue. Do you mean "trusted" in the sense that only Mozilla-supplied code or a malfunctioning extension could produce an invalid stream?
Assignee | ||
Comment 3•9 years ago
|
||
Buffer overflows in random chrome code aren't really a security issue, as it could do other much worse things.
Group: core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
(In reply to Andrew McCreight [:mccr8] from comment #3) > Buffer overflows in random chrome code aren't really a security issue, as it > could do other much worse things. Hmm. That seems true about intentional attacks, but not entirely with respect to bugs in extensions. How much should the framework protect itself from that kind of thing?
Assignee | ||
Comment 5•9 years ago
|
||
(In reply to q1 from comment #4) > Hmm. That seems true about intentional attacks, but not entirely with > respect to bugs in extensions. How much should the framework protect itself > from that kind of thing? Sure, I guess it could be useful to add some more checks.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 6•9 years ago
|
||
This particular stream is produced by our C++ code; I don't believe extensions have a chance to stomp on it by accident (though a malicious one might be able to mess with things here, I expect).
(In reply to Boris Zbarsky [:bz] from comment #6) > This particular stream is produced by our C++ code; I don't believe > extensions have a chance to stomp on it by accident (though a malicious one > might be able to mess with things here, I expect). What code produces this stream? It does seem that something stomped it, judging by the stack trace, though it's not conclusive.
Comment 8•9 years ago
|
||
nsXULPrototypeElement::Serialize and its callers, generally speaking.
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → continuation
Assignee | ||
Updated•9 years ago
|
Keywords: csectype-bounds
Assignee | ||
Updated•9 years ago
|
Summary: Possible security-related cause of bug 1185593 → nsXULPrototypeElement::Deserialize doesn't bounds check when accessing aNodeInfos
Assignee | ||
Updated•9 years ago
|
Component: DOM → XUL
Assignee | ||
Comment 9•9 years ago
|
||
There's a bunch of patches here, but it is just a series of small fixes for things I noticed in this function, including the original issue. try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=cc1270fc3343 If the first Read32() fails, |number| will be garbage.
Attachment #8642814 -
Flags: review?(bugs)
Assignee | ||
Comment 10•9 years ago
|
||
Make sure we don't do an out-of-bounds read if we read out a bogus value.
Attachment #8642815 -
Flags: review?(bugs)
Assignee | ||
Comment 11•9 years ago
|
||
If we read out a bogus value of |mNumAttributes|, it could be extremely large, causing the allocation of |mAttributes| to fail.
Attachment #8642816 -
Flags: review?(bugs)
Assignee | ||
Comment 12•9 years ago
|
||
Other code does not expect random nulls in this array, so avoid adding them, just in case we somehow end up looking at it. This code returns right after the append so it should be okay.
Attachment #8642817 -
Flags: review?(bugs)
Comment 13•9 years ago
|
||
Comment on attachment 8642814 [details] [diff] [review] part 1 - Initialize |number|. Lovely 13 years old code :/
Attachment #8642814 -
Flags: review?(bugs) → review+
Comment 14•9 years ago
|
||
Comment on attachment 8642815 [details] [diff] [review] part 2 - Add bounds checking in nsXULPrototypeElement::Deserialize(). I would just do aNodeInfos->SafeElementAt(number);
Attachment #8642815 -
Flags: review?(bugs) → review+
Comment 15•9 years ago
|
||
Comment on attachment 8642816 [details] [diff] [review] part 3 - Make allocation of nsXULPrototypeAttribute fallible in nsXULPrototypeElement::Deserialize(). Either this or remove the OOM check. Perhaps this is better.
Attachment #8642816 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 16•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #14) > I would just do aNodeInfos->SafeElementAt(number); It looked like SafeElementAt() will just crash the browser, and it seems bad to crash in this startup code.
Assignee | ||
Comment 17•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #15) > Either this or remove the OOM check. Perhaps this is better. My philosophy here is that the Read32 calls should be able to return any values and we shouldn't crash, just fail.
Updated•9 years ago
|
Attachment #8642817 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 18•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #16) > It looked like SafeElementAt() will just crash the browser, and it seems bad > to crash in this startup code. Olli pointed out in IRC that it actually just takes a default argument and returns that, so I'll just do that.
Assignee | ||
Comment 19•9 years ago
|
||
(In reply to q1 from comment #7) > What code produces this stream? It does seem that something stomped it, > judging by the stack trace, though it's not conclusive. This code is run when we are reading the XUL prototype cache during startup. This cache can get mangled in various cases, like if a user uses Windows file restore to go to an earlier version that uses a slightly different format, or maybe if it crashes while writing it is out. We're supposed to detect problems like that and just invalidate the cache, but it doesn't always happen due to other bugs.
Assignee | ||
Updated•9 years ago
|
Keywords: csectype-uninitialized
Comment 20•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d70f26619eca https://hg.mozilla.org/integration/mozilla-inbound/rev/36ee2ada09b9 https://hg.mozilla.org/integration/mozilla-inbound/rev/e7f9116e9468 https://hg.mozilla.org/integration/mozilla-inbound/rev/04ae99b066a1
Assignee | ||
Comment 21•9 years ago
|
||
Thanks for the reviews!
Comment 22•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d70f26619eca https://hg.mozilla.org/mozilla-central/rev/36ee2ada09b9 https://hg.mozilla.org/mozilla-central/rev/e7f9116e9468 https://hg.mozilla.org/mozilla-central/rev/04ae99b066a1
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
status-firefox42:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Assignee | ||
Comment 23•9 years ago
|
||
Comment on attachment 8642814 [details] [diff] [review] part 1 - Initialize |number|. The top crash in bug 1185593 seems to have gone away with the first Nightly these patches were in, so something in here must have fixed it. Thanks for the analysis, q1! Approval Request Comment [Feature/regressing bug #]: unknown [User impact if declined]: This seems to have fixed a Windows top crash that was showing up 42 (bug 1185593) and is also affecting 41, so I'm filing for approval for 41, which I think is beta now. [Describe test coverage new/current, TreeHerder]: I'm not sure. I think our automated testing of this code is bad. [Risks and why]: Low. This just improves our error handling in a number of cases. There are four patches, but they are simple. [String/UUID change made/needed]: none This approval request is for all four patches.
Attachment #8642814 -
Flags: approval-mozilla-beta?
Comment on attachment 8642814 [details] [diff] [review] part 1 - Initialize |number|. The evidence suggests that the topcrash is gone with this fix in Nightly (yes, I confirmed!). Let's uplift to m-b.
Attachment #8642814 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
status-firefox41:
--- → affected
Comment on attachment 8642815 [details] [diff] [review] part 2 - Add bounds checking in nsXULPrototypeElement::Deserialize(). [Triage Comment] Beta+
Attachment #8642815 -
Flags: approval-mozilla-beta+
Comment on attachment 8642816 [details] [diff] [review] part 3 - Make allocation of nsXULPrototypeAttribute fallible in nsXULPrototypeElement::Deserialize(). [Triage Comment] Beta+
Attachment #8642816 -
Flags: approval-mozilla-beta+
Comment on attachment 8642817 [details] [diff] [review] part 4 - Don't append null to mChildren. [Triage Comment] Beta+
Attachment #8642817 -
Flags: approval-mozilla-beta+
Reporter | ||
Comment 28•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #23) > Comment on attachment 8642814 [details] [diff] [review] > part 1 - Initialize |number|. > > The top crash in bug 1185593 seems to have gone away with the first Nightly > these patches were in, so something in here must have fixed it. Thanks for > the analysis, q1! You're welcome. I'm always happy to see another bug squashed.
Comment 29•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/e5423b114251 https://hg.mozilla.org/releases/mozilla-beta/rev/b3d63dc2991e https://hg.mozilla.org/releases/mozilla-beta/rev/8739aada6815 https://hg.mozilla.org/releases/mozilla-beta/rev/13724d34c866
You need to log in
before you can comment on or make changes to this bug.
Description
•