Bug 1246014 (CVE-2016-1960)

ZDI-CAN-3545: Mozilla Firefox nsHtml5TreeBuilder Array Indexing Remote Code Execution Vulnerability

VERIFIED FIXED in Firefox 45

Status

()

defect
VERIFIED FIXED
3 years ago
3 years ago

People

(Reporter: abillings, Assigned: hsivonen)

Tracking

({csectype-uaf, regression, sec-critical})

22 Branch
mozilla47
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox44 wontfix, firefox45+ verified, firefox46+ fixed, firefox47+ verified, firefox-esr3845+ verified, firefox-esr45 verified)

Details

(Whiteboard: [adv-main45+][adv-esr38.7+] dom-triaged)

Attachments

(4 attachments)

(Reporter)

Description

3 years ago
We received the following security bug report from ZDI:

ZDI-CAN-3545: Mozilla Firefox nsHtml5TreeBuilder Array Indexing Remote Code Execution Vulnerability


-- CVSS -----------------------------------------

6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P

-- ABSTRACT -------------------------------------

HP's Zero Day Initiative has identified a vulnerability affecting the following products:

  Mozilla Firefox

-- VULNERABILITY DETAILS ------------------------

Tested on Windows 8.1.

```
(f70.4d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=ffffffff ecx=17e6adfc edx=00000002 esi=108a4860 edi=0a675ec0
eip=5f00c7d5 esp=0049d068 ebp=00000002 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210216
xul!nsHtml5TreeBuilder::endTag+0x3c67e8:
5f00c7d5 83780c03        cmp     dword ptr [eax+0Ch],3 ds:0023:4141414d=????????
0:000> !lmi xul
Loaded Module Info: [xul]
         Module: xul
   Base Address: 5e800000
     Image Name: C:\Program Files\Mozilla Firefox\xul.dll
   Machine Type: 332 (I386)
     Time Stamp: 568c8871 Tue Jan 05 19:22:25 2016
           Size: 255b000
       CheckSum: 24bdf46
Characteristics: 2122  
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    76, 1ed7e78, 1ed6e78 RSDS - GUID: {0AED2A28-9F61-4C0A-86B0-6C0FD6F2A00F}
               Age: 2, Pdb: c:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\obj-firefox\toolkit\library\xul.pdb
                   ??    14, 1ed7ef0, 1ed6ef0 [Data not mapped]
                CLSID     4, 1ed7f04, 1ed6f04 [Data not mapped]
     Image Type: FILE     - Image read successfully from debugger.
                 C:\Program Files\Mozilla Firefox\xul.dll
    Symbol Type: PDB      - Symbols loaded successfully from image path.
                 z:\export\symbols\xul.pdb\0AED2A289F614C0A86B06C0FD6F2A00F2\xul.pdb
       Compiler: Linker - front end [0.0 bld 0] - back end [12.0 bld 30723]
    Load Report: private symbols & lines, source indexed
                 z:\export\symbols\xul.pdb\0AED2A289F614C0A86B06C0FD6F2A00F2\xul.pdb
0:000> lmvm xul
start    end        module name
5e800000 60d5b000   xul        (private pdb symbols)  z:\export\symbols\xul.pdb\0AED2A289F614C0A86B06C0FD6F2A00F2\xul.pdb
    Loaded symbol image file: C:\Program Files\Mozilla Firefox\xul.dll
    Image path: C:\Program Files\Mozilla Firefox\xul.dll
    Image name: xul.dll
    Timestamp:        Tue Jan 05 19:22:25 2016 (568C8871)
    CheckSum:         024BDF46
    ImageSize:        0255B000
    File version:     43.0.4.5848
    Product version:  43.0.4.5848
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0
    CompanyName:      Mozilla Foundation
    ProductName:      Firefox
    InternalName:     Firefox
    OriginalFilename: xul.dll
    ProductVersion:   43.0.4
    FileVersion:      43.0.4
    FileDescription:  43.0.4
    LegalCopyright:   License: MPL 2
    LegalTrademarks:  Mozilla
    Comments:         Mozilla

```

Tested on the nightly build from 20150120:

```
(cec.750): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=ffffffff ecx=1abb66fc edx=00000002 esi=0fbcfb80 edi=0d067100
eip=5beda4da esp=006dcb58 ebp=006dcb6c iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210216
xul!nsHtml5TreeBuilder::endTag+0x3e9613:
5beda4da 83780c03        cmp     dword ptr [eax+0Ch],3 ds:0023:4141414d=????????
0:000> ub @eip
xul!nsHtml5TreeBuilder::endTag+0x3e95f4 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5treebuilder.cpp @ 3033]:
5beda4bb e9906ac1ff      jmp     xul!nsHtml5TreeBuilder::endTag+0x89 (5baf0f50)
5beda4c0 807e1400        cmp     byte ptr [esi+14h],0
5beda4c4 0f85e76dc1ff    jne     xul!nsHtml5TreeBuilder::endTag+0x3ea (5baf12b1)
5beda4ca e9906bc1ff      jmp     xul!nsHtml5TreeBuilder::endTag+0x198 (5baf105f)
5beda4cf 8b5e38          mov     ebx,dword ptr [esi+38h]
5beda4d2 8b4630          mov     eax,dword ptr [esi+30h]
5beda4d5 8d0c98          lea     ecx,[eax+ebx*4]
5beda4d8 8b01            mov     eax,dword ptr [ecx]
0:000> dc @ecx
1abb66fc  41414141 109408e0 17766ac0 17766c60  AAAA.....jv.`lv.
1abb670c  17766c40 e5e5e5e5 e5e5e5e5 e5e5e5e5  @lv.............
1abb671c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
1abb672c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
1abb673c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
1abb674c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
1abb675c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
1abb676c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
0:000> dc @ecx-10
1abb66ec  41414141 424241c4 41414141 424241c4  AAAA.ABBAAAA.ABB
1abb66fc  41414141 109408e0 17766ac0 17766c60  AAAA.....jv.`lv.
1abb670c  17766c40 e5e5e5e5 e5e5e5e5 e5e5e5e5  @lv.............
1abb671c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
1abb672c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
1abb673c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
1abb674c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
1abb675c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
0:000> kv
ChildEBP RetAddr  Args to Child              
006dcb6c 5baf2c8f 0d08a8d0 00000038 19373530 xul!nsHtml5TreeBuilder::endTag+0x3e9613 (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5treebuilder.cpp @ 2743]
006dcb80 5baf1a89 00000000 00000038 19373530 xul!nsHtml5Tokenizer::emitCurrentTagToken+0xa0 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5tokenizer.cpp @ 296]
006dcbb4 5baf1808 00000000 00000000 00000038 xul!nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>+0x19b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5tokenizer.cpp @ 2048]
006dcbec 5c29679d 006dcc08 14cee800 006dcd18 xul!nsHtml5Tokenizer::tokenizeBuffer+0x63 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5tokenizer.cpp @ 405]
006dcc14 5c2962bd 006dcd18 14cee800 00000000 xul!nsHtml5StringParser::Tokenize+0x111 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5stringparser.cpp @ 116]
006dcc38 5c3949eb 006dcd18 1766ab00 0d05f960 xul!nsHtml5StringParser::ParseFragment+0x62 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5stringparser.cpp @ 64]
006dcc68 5be4285a 0d05f960 0000000a 1766ab00 xul!nsContentUtils::ParseFragmentHTML+0x7d (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nscontentutils.cpp @ 4409]
006dcce8 5bcd4763 006dcd18 006dcd08 006dcee8 xul!mozilla::dom::FragmentOrElement::SetInnerHTMLInternal+0x54d54e (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\fragmentorelement.cpp @ 2280]
006dcdb0 5bb7e554 156f76b0 006dcde8 1766ab00 xul!mozilla::dom::ElementBinding::set_innerHTML+0x62 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dom\bindings\elementbinding.cpp @ 2699]
006dcdfc 5b90719e 156f76b0 00000001 1766ab00 xul!mozilla::dom::GenericBindingSetter+0xd2 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\bindings\bindingutils.cpp @ 2682]
006dce84 5b9058bd 00000000 006dd0a0 156f76b0 xul!js::Invoke+0x13e (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 481]
006dcf20 5b9d37e6 006dcf68 00000001 006dd030 xul!js::Invoke+0x10a (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 533]
006dcf5c 5b9d5090 006dd030 19f8db00 ffffff88 xul!js::InvokeSetter+0x4f (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 651]
006dcfb0 5b9d66f2 006dd094 006dd1d0 006dd030 xul!SetExistingProperty+0xfb (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\nativeobject.cpp @ 2289]
006dd054 5b9d4f36 006dd094 006dd1d0 0ee850b8 xul!js::NativeSetProperty+0x291 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\nativeobject.cpp @ 2323]
006dd0ac 5b8bbd69 0ee850b0 006dd1d0 0ee850b8 xul!SetPropertyOperation+0xa2 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 290]
006de0d4 5bd87e26 00000000 006de1d0 006de1d0 xul!Interpret+0x47c9 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 2601]
006de160 5b907258 156f76b0 006de1c0 19f95940 xul!js::RunScript+0x1f6 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 428]
006de1e4 5b9058bd 00000000 156f76b0 006de398 xul!js::Invoke+0x1f8 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 502]
006de280 5b72aac4 006de2b8 00000001 006de318 xul!js::Invoke+0x10a (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 533]
006de364 5b72ad13 156f76b0 006de398 177f08e0 xul!mozilla::dom::EventHandlerNonNull::Call+0x19a (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dom\bindings\eventhandlerbinding.cpp @ 260]
006de4d4 5b72a6f0 17763808 177f08e0 006de560 xul!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>+0xb2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\dom\eventhandlerbinding.h @ 351]
006de6e8 5b728688 17763800 177f08e0 006dea44 xul!mozilla::JSEventHandler::HandleEvent+0xf8 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\jseventhandler.cpp @ 216]
006de94c 5b727336 16770800 006deae8 006dea4c xul!mozilla::EventListenerManager::HandleEventInternal+0x298 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventlistenermanager.cpp @ 1164]
006de990 5b77a735 00000000 006dea34 00000000 xul!mozilla::EventTargetChainItem::HandleEventTargetChain+0x196 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventdispatcher.cpp @ 317]
006dea8c 5b7c763f 006deae8 00000000 006deae0 xul!mozilla::EventDispatcher::Dispatch+0x5c5 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventdispatcher.cpp @ 656]
006deb48 5b73bb2e 179ef950 00000000 157cec00 xul!nsDocumentViewer::LoadComplete+0x26f (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsdocumentviewer.cpp @ 995]
006deeb0 5b73b8f7 157cec14 14cee02c 00000000 xul!nsDocShell::EndPageLoad+0xfb (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 7505]
006def58 5b743547 157ced18 157cec14 14cee02c xul!nsDocShell::OnStateChange+0xc3 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 7311]
006defa0 5b743bcc 157cec14 14cee02c 157ced18 xul!nsDocLoader::DoFireOnStateChange+0xc7 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 1256]
006deff8 5b743e4d 14cee02c 00000000 129697a0 xul!nsDocLoader::doStopDocumentLoad+0x6a (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 838]
006df034 5b744081 00000001 158cca20 157cec04 xul!nsDocLoader::DocLoaderIsEmpty+0x193 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 730]
006df0b8 5bb4c127 157cec04 16428e48 00000000 xul!nsDocLoader::OnStopRequest+0x15d (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 612]
006df180 5b749d68 158cca20 16428e48 00000000 xul!nsLoadGroup::RemoveRequest+0x195 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\netwerk\base\nsloadgroup.cpp @ 634]
006df1a8 5b7492ec 14cee800 12bf0600 11fbd420 xul!nsDocument::DoUnblockOnload+0x47 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsdocument.cpp @ 9018]
006df1cc 5b74c830 00000001 024044c4 024081d0 xul!nsDocument::UnblockOnload+0xf1 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsdocument.cpp @ 8947]
006df224 5b72ef6b 006df324 5b7ce89c 17766060 xul!nsDocument::DispatchContentLoadedEvents+0x131 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsdocument.cpp @ 5087]
006df22c 5b7ce89c 17766060 02446650 02446640 xul!nsRunnableMethodImpl<void (__thiscall mozilla::dom::Animation::*)(void),1>::Run+0x17 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\nsthreadutils.h @ 872]
006df324 5b7cd8b6 024081d0 00000000 006df357 xul!nsThread::ProcessNextEvent+0x7bc (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 997]
006df358 5ba5f12b 02453300 05d313e3 024044c0 xul!mozilla::ipc::MessagePump::Run+0x57 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 95]
006df390 5ba5f155 024081d0 00000001 5b7cd400 xul!MessageLoop::RunHandler+0x20 (FPO: [SEH]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 228]
006df3b0 5b7cda7b 0d07cfc0 00000000 006df3d0 xul!MessageLoop::Run+0x19 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 202]
006df3c0 5b7cf75f 024044c0 0d07cfc0 006df3e4 xul!nsBaseAppShell::Run+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\widget\nsbaseappshell.cpp @ 158]
006df3d0 5bb1540b 024044c0 006df72d 11fdafa0 xul!nsAppShell::Run+0x1d (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\widget\windows\nsappshell.cpp @ 257]
006df3e4 5bc4edf1 0d07cfc0 006df650 006df638 xul!nsAppStartup::Run+0x22 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\components\startup\nsappstartup.cpp @ 282]
006df5c0 5bc4e2d9 00000001 006df760 01c82ff8 xul!XREMain::XRE_mainRun+0x5e7 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4326]
006df5dc 5bce6229 00000000 01c82ff8 006df760 xul!XREMain::XRE_main+0x118 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4423]
006df738 00ae16d5 00000001 01c82ff8 006df760 xul!XRE_main+0x3e (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4526]
006df8d4 00ae1322 02404100 01c86ff8 01c82ff8 firefox!do_main+0x155 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\browser\app\nsbrowserapp.cpp @ 212]
006df97c 00ae10de 00ae257b 00ae257b 00000000 firefox!NS_internal_main+0x122 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\browser\app\nsbrowserapp.cpp @ 354]
006df990 00ae24fe 01c82ff8 feb68fb0 007edf70 firefox!wmain+0xbe (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nswindowswmain.cpp @ 138]
006df9d8 754b4198 7fa89000 754b4170 5b470725 firefox!__tmainCRTStartup+0xfe (FPO: [Non-Fpo]) (CONV: cdecl) [f:\dd\vctools\crt\crtw32\startup\crt0.c @ 255]
006df9ec 77723101 7fa89000 7ffab072 00000000 KERNEL32!BaseThreadInitThunk+0x24 (FPO: [Non-Fpo])
006dfa34 777230cf ffffffff 7774ed69 00000000 ntdll!__RtlUserThreadStart+0x2b (FPO: [SEH])
006dfa44 00000000 00ae257b 7fa89000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])
0:000> !lmi xul
Loaded Module Info: [xul]
         Module: xul
   Base Address: 5b660000
     Image Name: C:\Program Files\Nightly\xul.dll
   Machine Type: 332 (I386)
     Time Stamp: 569fa561 Wed Jan 20 07:18:57 2016
           Size: 27a4000
       CheckSum: 26fe897
Characteristics: 2122  
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    7a, 20dd3f8, 20dbff8 RSDS - GUID: {A83D4058-E28E-4EBF-A9BA-E1FE6EDD1A28}
               Age: 2, Pdb: c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\toolkit\library\xul.pdb
                   ??    14, 20dd474, 20dc074 [Data not mapped]
                CLSID     4, 20dd488, 20dc088 [Data not mapped]
     Image Type: FILE     - Image read successfully from debugger.
                 C:\Program Files\Nightly\xul.dll
    Symbol Type: PDB      - Symbols loaded successfully from image path.
                 z:\export\symbols\xul.pdb\A83D4058E28E4EBFA9BAE1FE6EDD1A282\xul.pdb
       Compiler: Linker - front end [0.0 bld 0] - back end [12.0 bld 30723]
    Load Report: private symbols & lines, source indexed
                 z:\export\symbols\xul.pdb\A83D4058E28E4EBFA9BAE1FE6EDD1A282\xul.pdb
0:000> lmvm xul
start    end        module name
5b660000 5de04000   xul        (private pdb symbols)  z:\export\symbols\xul.pdb\A83D4058E28E4EBFA9BAE1FE6EDD1A282\xul.pdb
    Loaded symbol image file: C:\Program Files\Nightly\xul.dll
    Image path: C:\Program Files\Nightly\xul.dll
    Image name: xul.dll
    Timestamp:        Wed Jan 20 07:18:57 2016 (569FA561)
    CheckSum:         026FE897
    ImageSize:        027A4000
    File version:     46.0.0.5863
    Product version:  46.0.0.5863
    File flags:       2 (Mask 3F) Pre-release
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0
    CompanyName:      Mozilla Foundation
    ProductName:      Nightly
    InternalName:     Nightly
    OriginalFilename: xul.dll
    ProductVersion:   46.0a1
    FileVersion:      46.0a1
    FileDescription:  46.0a1
    LegalCopyright:   License: MPL 2
    LegalTrademarks:  Mozilla
    Comments:         Mozilla
0:000> vertarget
Windows 8 Version 9600 UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.3.9600.17415 (winblue_r4.141028-1500)
Machine Name:
Debug session time: Thu Jan 21 13:03:26.371 2016 (UTC - 8:00)
System Uptime: 0 days 0:32:05.185
Process Uptime: 0 days 0:02:42.905
  Kernel time: 0 days 0:00:00.796
  User time: 0 days 0:00:02.375

```

And without the spray:

```
(9d4.77c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=ffffffff ecx=16f58efc edx=00000002 esi=179ab8b0 edi=0d363060
eip=5beda4da esp=00fad058 ebp=00fad06c iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210216
xul!nsHtml5TreeBuilder::endTag+0x3e9613:
5beda4da 83780c03        cmp     dword ptr [eax+0Ch],3 ds:0023:0000000c=????????
0:000> dc @ecx
16f58efc  00000000 1101d100 1a19eb20 1a19ed00  ........ .......
16f58f0c  1a19ece0 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
16f58f1c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
16f58f2c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
16f58f3c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
16f58f4c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
16f58f5c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
16f58f6c  e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5  ................
```

-- CREDIT ---------------------------------------

This vulnerability was discovered by:

   ca0nguyen working with HP's Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up the the deadline please coordinate with us so that we may release our advisory detailing the issue. If the 120 day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@hpe.com

The PGP key used for all ZDI vendor communications is available from:

     http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI ---------------------

Established by TippingPoint and acquired by Hewlett-Packard, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

The ZDI is unique in how the acquired vulnerability information is used. The ZDI does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its HP TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

    http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/
sec-critical because EAX is controlled, and UAF because the E5E5E5E5 memory indicates a jemalloc-freed chunk. Testing this in an ASAN build would detect when this chunk was freed which is likely closer to the bug than the part where it crashed.
(Reporter)

Updated

3 years ago
Attachment #8716110 - Attachment description: Testcase from email → Testcase from email (crashes)
On Mac, in Dev Edition (Firefox 46), I'm getting something that looks more like a null deref
bp-06b8413c-119e-4088-8835-194ee2160205

Platform difference? Or something changed since the older version. Will test that next.
Same on Release (Firefox 44) and ESR 38.5.2: bp-73113e06-fe51-42d0-bb39-007fc2160205

Guess we need to try Windows and ASAN.
Could be the heap spray just isn't big enough to work on a 64-bit build. That could obviously be adjusted by the attacker.
Hmm, we are crashing in the generated code.
Whiteboard: dom-triaged
Henri, could you take a look at this?
Flags: needinfo?(hsivonen)
(In reply to Olli Pettay [:smaug] (high review load) from comment #7)
> Henri, could you take a look at this?

OK.
Assignee: nobody → hsivonen
Flags: needinfo?(hsivonen)
The good news is that, as expected, this bug reproduces in Java, so I'll debug it there.
Posted patch Java patchSplinter Review
The template implementation performed "clear the stack back to a table row context" incorrectly, because it assumed that the root of the stack always has the dispatch group HTML, but that's not the case when parsing with a foreign fragment context. (In this case, the dispatch group at stack[0] was SVG.)
Attachment #8716877 - Flags: review?(wchen)
Comment on attachment 8716875 [details]
Test case in html5lib format

The test case in html5lib format should be contributed to https://github.com/html5lib/html5lib-tests/ when it's time to disclose the test and pulled into our unit tests by syncing our copy with the upstream.

When it's time to disclose the test case, would ca0nguyen wish to contribute it to html5lib-test themself or should I create a PR crediting ca0nguyen and ZDI? (I hope ZDI is OK with contributing the test to html5lib-tests.)
Attachment #8716877 - Flags: review?(wchen) → review+
Attachment #8716878 - Flags: review?(wchen) → review+
Comment on attachment 8716878 [details] [diff] [review]
Gecko patch

[Security approval request comment]
> How easily could an exploit be constructed based on the patch?

Given the knowledge that this is a security fix (which can be concluded from the checkin comment containing just the number of a restricted bug), it is trivial to conclude that the starting point of the exploit is innerHTML invoked on <svg> or <math> with <template> in the assigned string and some table-related stuff inside the template. An attacker with any attention span at all will then be able to figure out the rest to find the exploitable condition. We should then expect the ease of actual exploit to be similar to out-of-bounds memory access in general.

> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No, there are none. (The test case is to be landed later.)

> Which older supported branches are affected by this flaw?

All supported branches. 

> If not all supported branches, which bug introduced the flaw?

(The bug was introduced by bug 818976 in Gecko 22.)

> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

The same fix applies.

> How likely is this patch to cause regressions; how much testing does it need?

About as unlikely to regress anything else as possible.

Please also indicate whether the Java repo patch should land at a different time and please indicate when it's appropriate to share the test case with all vendors via the html5lib-tests repo.
Attachment #8716878 - Flags: sec-approval?
> Please also indicate whether the Java repo patch should land at a different time

This was a silly question to ask. It has to land to the Java repo at the same time to avoid accidentally overwriting the fix in Gecko later.
(Reporter)

Comment 16

3 years ago
sec-approval+. Please nominate patches for Aurora, Beta, and ESR38 as well.
(Reporter)

Updated

3 years ago
Attachment #8716878 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/dfeebfdf8d96
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Comment on attachment 8716878 [details] [diff] [review]
Gecko patch

> [Approval Request Comment]
> If this is not a sec:{high,crit} bug, please state case for ESR consideration:

sec-critical

> User impact if declined: 

Security risk.

> Fix Landed on Version:

47

> Risk to taking this patch (and alternatives if risky): 

Extremely low risk.

> String or UUID changes made by this patch: 

None.

> See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

> Approval Request Comment
>[Feature/regressing bug #]:

bug 818976

> [User impact if declined]:

Security risk.

> [Describe test coverage new/current, TreeHerder]:

Test not landed due to security sensitivity.

> [Risks and why]: 

Extremely low risk, because this changed a check for the item at the start of an array from a sentinel check to an index-zero check.

> [String/UUID change made/needed]:

None.
Attachment #8716878 - Flags: approval-mozilla-esr38?
Attachment #8716878 - Flags: approval-mozilla-beta?
Attachment #8716878 - Flags: approval-mozilla-aurora?
Comment on attachment 8716878 [details] [diff] [review]
Gecko patch

Fix a sec critical issue.
Should be in 45 beta 5.
Attachment #8716878 - Flags: approval-mozilla-esr38?
Attachment #8716878 - Flags: approval-mozilla-esr38+
Attachment #8716878 - Flags: approval-mozilla-beta?
Attachment #8716878 - Flags: approval-mozilla-beta+
Attachment #8716878 - Flags: approval-mozilla-aurora?
Attachment #8716878 - Flags: approval-mozilla-aurora+
Blocks: 818976
Group: dom-core-security → core-security-release
Hi Wes, we also need to uplift the patch to ESR38. Thanks!
Flags: needinfo?(wkocher)
(Reporter)

Updated

3 years ago
Whiteboard: dom-triaged → [adv-main45+][adv-esr38.7+] dom-triaged
(Reporter)

Updated

3 years ago
Alias: CVE-2016-1960
Reproduced the crash with "Nightly has stopped working" message using 47.0a1 Nightly debug builds under Win 7 64-bit and Ubuntu 14.04 64-bit.

The crash no longer occurs with Firefox 45.0 2016-03-01, Nightly 47.0a1 2016-03-02 and 45.0esr builds.
38.6.1esr build is also not affected by the crash, but it is instead crashing at shutdown. There are no crash reports in about:crashes.

I'm marking these versions as verified.
Keywords: regression
Flags: in-testsuite?
Version: unspecified → 22 Branch
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.