Closed Bug 1231761 (CVE-2016-1933) Opened 4 years ago Closed 4 years ago

DoS loading a specially crafted image in Firefox 43.0b9

Categories

(Core :: ImageLib, defect)

43 Branch
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1235605

People

(Reporter: gustavo.grieco, Unassigned)

Details

(Keywords: crash, regression, sec-moderate, Whiteboard: [adv-main44+])

Attachments

(2 files, 1 obsolete file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151030084315

Steps to reproduce:

A DoS was found in the last version of Firefox Beta (Firefox 43.0b9). Just loading this website:

http://dcc.fceia.unr.edu.ar/~ggrieco/crash.html


Actual results:

Firefox will abort/crash:

out of memory: 0xFFFFFFFFFFE40028 bytes requested

Program received signal SIGSEGV, Segmentation fault.
0x00000000004088bf in mozalloc_abort(char const*) ()
(gdb) bt
#0  0x00000000004088bf in mozalloc_abort(char const*) ()
#1  0x0000000000408931 in mozalloc_handle_oom(unsigned long) ()
#2  0x0000000000404f7d in moz_xmalloc ()
#3  0x00007ffff1a6b221 in ?? () from /home/g/Apps/firefox/libxul.so
#4  0x00007ffff1a6b438 in ?? () from /home/g/Apps/firefox/libxul.so
#5  0x00007ffff1a7f386 in ?? () from /home/g/Apps/firefox/libxul.so
#6  0x00007ffff1a69f6c in ?? () from /home/g/Apps/firefox/libxul.so
#7  0x00007ffff1a6b1b0 in ?? () from /home/g/Apps/firefox/libxul.so
#8  0x00007ffff1a6ec43 in ?? () from /home/g/Apps/firefox/libxul.so
#9  0x00007ffff1a6ee22 in ?? () from /home/g/Apps/firefox/libxul.so
#10 0x00007ffff10a9f9a in ?? () from /home/g/Apps/firefox/libxul.so
#11 0x00007ffff10b1d59 in ?? () from /home/g/Apps/firefox/libxul.so
#12 0x00007ffff160eee7 in ?? () from /home/g/Apps/firefox/libxul.so
#13 0x00007ffff15fd2a2 in ?? () from /home/g/Apps/firefox/libxul.so
#14 0x00007ffff1402ccf in ?? () from /home/g/Apps/firefox/libxul.so
#15 0x00007ffff66eaa55 in ?? () from /home/g/Apps/firefox/libnspr4.so
#16 0x00007ffff7bc4182 in start_thread (arg=0x7fffccc12700) at pthread_create.c:312
#17 0x00007ffff6cc547d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

(sorry for the lack of symbols, i couldn't find an updated version of Firefox with debugging symbols enabled and ASAN provided no more details)

Since Firefox is failing trying to allocate such a large amount of memory maybe there is a integer overflow somewhere, so i'm very interested to know which is the cause of this issue. That's why i'm flagging this issue as a security related bug.


Expected results:

It shouldn't abort (for instance, Firefox 42 is *not* affected)
This is an intentional crash when we detect potentially unrecoverable memory problems. Don't need to hide it to protect anyone and we'll get more traction as a public bug.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, csectype-dos
Whiteboard: [sg:dos]
Attached file asan_log.txt
we can narrow down what the broken change is using http://mozilla.github.io/mozregression/
Keywords: regression
Attached image oom.gif (obsolete) —
Attached file test_case.gif.zip
Attachment #8698522 - Attachment is obsolete: true
I confirm it is affecting Firefox 43.0 (release)
Group: gfx-core-security
Keywords: csectype-dos
Whiteboard: [sg:dos]
This feels like it could be the same issue as bug 1235605, which manifested with an OOM but was actually an integer overflow. The stack looks similar or identical.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1235605
This was the original report of the issue, but the other bug has more discussion, so I'll dupe it forward. Sorry we did not look deeper at your original report.
Flags: sec-bounty?
Keywords: sec-moderate
Whiteboard: [adv-main44+]
Alias: CVE-2016-1933
Flags: sec-bounty? → sec-bounty+
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.