Closed Bug 1246014 (CVE-2016-1960) Opened 9 years ago Closed 9 years ago

ZDI-CAN-3545: Mozilla Firefox nsHtml5TreeBuilder Array Indexing Remote Code Execution Vulnerability

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Version:
22 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox44 --- wontfix
firefox45 + verified
firefox46 + fixed
firefox47 + verified
firefox-esr38 45+ verified
firefox-esr45 --- verified

People

(Reporter: abillings, Assigned: hsivonen)

References

Details

(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [adv-main45+][adv-esr38.7+] dom-triaged)

Attachments

(4 files)

Testcase from email (crashes)
757 bytes, text/html
Details
Test case in html5lib format
618 bytes, text/html
Details
Java patch
1.30 KB, patch
wchen
: review+
Details | Diff | Splinter Review
Gecko patch
2.32 KB, patch
wchen
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Sylvestre
: approval-mozilla-esr38+
abillings
: sec-approval+
Details | Diff | Splinter Review
We received the following security bug report from ZDI: ZDI-CAN-3545: Mozilla Firefox nsHtml5TreeBuilder Array Indexing Remote Code Execution Vulnerability -- CVSS ----------------------------------------- 6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P -- ABSTRACT ------------------------------------- HP's Zero Day Initiative has identified a vulnerability affecting the following products: Mozilla Firefox -- VULNERABILITY DETAILS ------------------------ Tested on Windows 8.1. ``` (f70.4d0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=ffffffff ecx=17e6adfc edx=00000002 esi=108a4860 edi=0a675ec0 eip=5f00c7d5 esp=0049d068 ebp=00000002 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216 xul!nsHtml5TreeBuilder::endTag+0x3c67e8: 5f00c7d5 83780c03 cmp dword ptr [eax+0Ch],3 ds:0023:4141414d=???????? 0:000> !lmi xul Loaded Module Info: [xul] Module: xul Base Address: 5e800000 Image Name: C:\Program Files\Mozilla Firefox\xul.dll Machine Type: 332 (I386) Time Stamp: 568c8871 Tue Jan 05 19:22:25 2016 Size: 255b000 CheckSum: 24bdf46 Characteristics: 2122 Debug Data Dirs: Type Size VA Pointer CODEVIEW 76, 1ed7e78, 1ed6e78 RSDS - GUID: {0AED2A28-9F61-4C0A-86B0-6C0FD6F2A00F} Age: 2, Pdb: c:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\obj-firefox\toolkit\library\xul.pdb ?? 14, 1ed7ef0, 1ed6ef0 [Data not mapped] CLSID 4, 1ed7f04, 1ed6f04 [Data not mapped] Image Type: FILE - Image read successfully from debugger. C:\Program Files\Mozilla Firefox\xul.dll Symbol Type: PDB - Symbols loaded successfully from image path. z:\export\symbols\xul.pdb\0AED2A289F614C0A86B06C0FD6F2A00F2\xul.pdb Compiler: Linker - front end [0.0 bld 0] - back end [12.0 bld 30723] Load Report: private symbols & lines, source indexed z:\export\symbols\xul.pdb\0AED2A289F614C0A86B06C0FD6F2A00F2\xul.pdb 0:000> lmvm xul start end module name 5e800000 60d5b000 xul (private pdb symbols) z:\export\symbols\xul.pdb\0AED2A289F614C0A86B06C0FD6F2A00F2\xul.pdb Loaded symbol image file: C:\Program Files\Mozilla Firefox\xul.dll Image path: C:\Program Files\Mozilla Firefox\xul.dll Image name: xul.dll Timestamp: Tue Jan 05 19:22:25 2016 (568C8871) CheckSum: 024BDF46 ImageSize: 0255B000 File version: 43.0.4.5848 Product version: 43.0.4.5848 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0000.04b0 CompanyName: Mozilla Foundation ProductName: Firefox InternalName: Firefox OriginalFilename: xul.dll ProductVersion: 43.0.4 FileVersion: 43.0.4 FileDescription: 43.0.4 LegalCopyright: License: MPL 2 LegalTrademarks: Mozilla Comments: Mozilla ``` Tested on the nightly build from 20150120: ``` (cec.750): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=ffffffff ecx=1abb66fc edx=00000002 esi=0fbcfb80 edi=0d067100 eip=5beda4da esp=006dcb58 ebp=006dcb6c iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216 xul!nsHtml5TreeBuilder::endTag+0x3e9613: 5beda4da 83780c03 cmp dword ptr [eax+0Ch],3 ds:0023:4141414d=???????? 0:000> ub @eip xul!nsHtml5TreeBuilder::endTag+0x3e95f4 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5treebuilder.cpp @ 3033]: 5beda4bb e9906ac1ff jmp xul!nsHtml5TreeBuilder::endTag+0x89 (5baf0f50) 5beda4c0 807e1400 cmp byte ptr [esi+14h],0 5beda4c4 0f85e76dc1ff jne xul!nsHtml5TreeBuilder::endTag+0x3ea (5baf12b1) 5beda4ca e9906bc1ff jmp xul!nsHtml5TreeBuilder::endTag+0x198 (5baf105f) 5beda4cf 8b5e38 mov ebx,dword ptr [esi+38h] 5beda4d2 8b4630 mov eax,dword ptr [esi+30h] 5beda4d5 8d0c98 lea ecx,[eax+ebx*4] 5beda4d8 8b01 mov eax,dword ptr [ecx] 0:000> dc @ecx 1abb66fc 41414141 109408e0 17766ac0 17766c60 AAAA.....jv.`lv. 1abb670c 17766c40 e5e5e5e5 e5e5e5e5 e5e5e5e5 @lv............. 1abb671c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 1abb672c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 1abb673c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 1abb674c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 1abb675c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 1abb676c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 0:000> dc @ecx-10 1abb66ec 41414141 424241c4 41414141 424241c4 AAAA.ABBAAAA.ABB 1abb66fc 41414141 109408e0 17766ac0 17766c60 AAAA.....jv.`lv. 1abb670c 17766c40 e5e5e5e5 e5e5e5e5 e5e5e5e5 @lv............. 1abb671c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 1abb672c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 1abb673c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 1abb674c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 1abb675c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 0:000> kv ChildEBP RetAddr Args to Child 006dcb6c 5baf2c8f 0d08a8d0 00000038 19373530 xul!nsHtml5TreeBuilder::endTag+0x3e9613 (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5treebuilder.cpp @ 2743] 006dcb80 5baf1a89 00000000 00000038 19373530 xul!nsHtml5Tokenizer::emitCurrentTagToken+0xa0 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5tokenizer.cpp @ 296] 006dcbb4 5baf1808 00000000 00000000 00000038 xul!nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>+0x19b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5tokenizer.cpp @ 2048] 006dcbec 5c29679d 006dcc08 14cee800 006dcd18 xul!nsHtml5Tokenizer::tokenizeBuffer+0x63 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5tokenizer.cpp @ 405] 006dcc14 5c2962bd 006dcd18 14cee800 00000000 xul!nsHtml5StringParser::Tokenize+0x111 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5stringparser.cpp @ 116] 006dcc38 5c3949eb 006dcd18 1766ab00 0d05f960 xul!nsHtml5StringParser::ParseFragment+0x62 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\parser\html\nshtml5stringparser.cpp @ 64] 006dcc68 5be4285a 0d05f960 0000000a 1766ab00 xul!nsContentUtils::ParseFragmentHTML+0x7d (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nscontentutils.cpp @ 4409] 006dcce8 5bcd4763 006dcd18 006dcd08 006dcee8 xul!mozilla::dom::FragmentOrElement::SetInnerHTMLInternal+0x54d54e (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\fragmentorelement.cpp @ 2280] 006dcdb0 5bb7e554 156f76b0 006dcde8 1766ab00 xul!mozilla::dom::ElementBinding::set_innerHTML+0x62 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dom\bindings\elementbinding.cpp @ 2699] 006dcdfc 5b90719e 156f76b0 00000001 1766ab00 xul!mozilla::dom::GenericBindingSetter+0xd2 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\bindings\bindingutils.cpp @ 2682] 006dce84 5b9058bd 00000000 006dd0a0 156f76b0 xul!js::Invoke+0x13e (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 481] 006dcf20 5b9d37e6 006dcf68 00000001 006dd030 xul!js::Invoke+0x10a (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 533] 006dcf5c 5b9d5090 006dd030 19f8db00 ffffff88 xul!js::InvokeSetter+0x4f (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 651] 006dcfb0 5b9d66f2 006dd094 006dd1d0 006dd030 xul!SetExistingProperty+0xfb (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\nativeobject.cpp @ 2289] 006dd054 5b9d4f36 006dd094 006dd1d0 0ee850b8 xul!js::NativeSetProperty+0x291 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\nativeobject.cpp @ 2323] 006dd0ac 5b8bbd69 0ee850b0 006dd1d0 0ee850b8 xul!SetPropertyOperation+0xa2 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 290] 006de0d4 5bd87e26 00000000 006de1d0 006de1d0 xul!Interpret+0x47c9 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 2601] 006de160 5b907258 156f76b0 006de1c0 19f95940 xul!js::RunScript+0x1f6 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 428] 006de1e4 5b9058bd 00000000 156f76b0 006de398 xul!js::Invoke+0x1f8 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 502] 006de280 5b72aac4 006de2b8 00000001 006de318 xul!js::Invoke+0x10a (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 533] 006de364 5b72ad13 156f76b0 006de398 177f08e0 xul!mozilla::dom::EventHandlerNonNull::Call+0x19a (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dom\bindings\eventhandlerbinding.cpp @ 260] 006de4d4 5b72a6f0 17763808 177f08e0 006de560 xul!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>+0xb2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\dom\eventhandlerbinding.h @ 351] 006de6e8 5b728688 17763800 177f08e0 006dea44 xul!mozilla::JSEventHandler::HandleEvent+0xf8 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\jseventhandler.cpp @ 216] 006de94c 5b727336 16770800 006deae8 006dea4c xul!mozilla::EventListenerManager::HandleEventInternal+0x298 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventlistenermanager.cpp @ 1164] 006de990 5b77a735 00000000 006dea34 00000000 xul!mozilla::EventTargetChainItem::HandleEventTargetChain+0x196 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventdispatcher.cpp @ 317] 006dea8c 5b7c763f 006deae8 00000000 006deae0 xul!mozilla::EventDispatcher::Dispatch+0x5c5 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventdispatcher.cpp @ 656] 006deb48 5b73bb2e 179ef950 00000000 157cec00 xul!nsDocumentViewer::LoadComplete+0x26f (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsdocumentviewer.cpp @ 995] 006deeb0 5b73b8f7 157cec14 14cee02c 00000000 xul!nsDocShell::EndPageLoad+0xfb (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 7505] 006def58 5b743547 157ced18 157cec14 14cee02c xul!nsDocShell::OnStateChange+0xc3 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 7311] 006defa0 5b743bcc 157cec14 14cee02c 157ced18 xul!nsDocLoader::DoFireOnStateChange+0xc7 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 1256] 006deff8 5b743e4d 14cee02c 00000000 129697a0 xul!nsDocLoader::doStopDocumentLoad+0x6a (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 838] 006df034 5b744081 00000001 158cca20 157cec04 xul!nsDocLoader::DocLoaderIsEmpty+0x193 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 730] 006df0b8 5bb4c127 157cec04 16428e48 00000000 xul!nsDocLoader::OnStopRequest+0x15d (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 612] 006df180 5b749d68 158cca20 16428e48 00000000 xul!nsLoadGroup::RemoveRequest+0x195 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\netwerk\base\nsloadgroup.cpp @ 634] 006df1a8 5b7492ec 14cee800 12bf0600 11fbd420 xul!nsDocument::DoUnblockOnload+0x47 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsdocument.cpp @ 9018] 006df1cc 5b74c830 00000001 024044c4 024081d0 xul!nsDocument::UnblockOnload+0xf1 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsdocument.cpp @ 8947] 006df224 5b72ef6b 006df324 5b7ce89c 17766060 xul!nsDocument::DispatchContentLoadedEvents+0x131 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsdocument.cpp @ 5087] 006df22c 5b7ce89c 17766060 02446650 02446640 xul!nsRunnableMethodImpl<void (__thiscall mozilla::dom::Animation::*)(void),1>::Run+0x17 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\nsthreadutils.h @ 872] 006df324 5b7cd8b6 024081d0 00000000 006df357 xul!nsThread::ProcessNextEvent+0x7bc (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 997] 006df358 5ba5f12b 02453300 05d313e3 024044c0 xul!mozilla::ipc::MessagePump::Run+0x57 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 95] 006df390 5ba5f155 024081d0 00000001 5b7cd400 xul!MessageLoop::RunHandler+0x20 (FPO: [SEH]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 228] 006df3b0 5b7cda7b 0d07cfc0 00000000 006df3d0 xul!MessageLoop::Run+0x19 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 202] 006df3c0 5b7cf75f 024044c0 0d07cfc0 006df3e4 xul!nsBaseAppShell::Run+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\widget\nsbaseappshell.cpp @ 158] 006df3d0 5bb1540b 024044c0 006df72d 11fdafa0 xul!nsAppShell::Run+0x1d (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\widget\windows\nsappshell.cpp @ 257] 006df3e4 5bc4edf1 0d07cfc0 006df650 006df638 xul!nsAppStartup::Run+0x22 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\components\startup\nsappstartup.cpp @ 282] 006df5c0 5bc4e2d9 00000001 006df760 01c82ff8 xul!XREMain::XRE_mainRun+0x5e7 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4326] 006df5dc 5bce6229 00000000 01c82ff8 006df760 xul!XREMain::XRE_main+0x118 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4423] 006df738 00ae16d5 00000001 01c82ff8 006df760 xul!XRE_main+0x3e (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4526] 006df8d4 00ae1322 02404100 01c86ff8 01c82ff8 firefox!do_main+0x155 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\browser\app\nsbrowserapp.cpp @ 212] 006df97c 00ae10de 00ae257b 00ae257b 00000000 firefox!NS_internal_main+0x122 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\browser\app\nsbrowserapp.cpp @ 354] 006df990 00ae24fe 01c82ff8 feb68fb0 007edf70 firefox!wmain+0xbe (FPO: [Non-Fpo]) (CONV: cdecl) [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nswindowswmain.cpp @ 138] 006df9d8 754b4198 7fa89000 754b4170 5b470725 firefox!__tmainCRTStartup+0xfe (FPO: [Non-Fpo]) (CONV: cdecl) [f:\dd\vctools\crt\crtw32\startup\crt0.c @ 255] 006df9ec 77723101 7fa89000 7ffab072 00000000 KERNEL32!BaseThreadInitThunk+0x24 (FPO: [Non-Fpo]) 006dfa34 777230cf ffffffff 7774ed69 00000000 ntdll!__RtlUserThreadStart+0x2b (FPO: [SEH]) 006dfa44 00000000 00ae257b 7fa89000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo]) 0:000> !lmi xul Loaded Module Info: [xul] Module: xul Base Address: 5b660000 Image Name: C:\Program Files\Nightly\xul.dll Machine Type: 332 (I386) Time Stamp: 569fa561 Wed Jan 20 07:18:57 2016 Size: 27a4000 CheckSum: 26fe897 Characteristics: 2122 Debug Data Dirs: Type Size VA Pointer CODEVIEW 7a, 20dd3f8, 20dbff8 RSDS - GUID: {A83D4058-E28E-4EBF-A9BA-E1FE6EDD1A28} Age: 2, Pdb: c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\toolkit\library\xul.pdb ?? 14, 20dd474, 20dc074 [Data not mapped] CLSID 4, 20dd488, 20dc088 [Data not mapped] Image Type: FILE - Image read successfully from debugger. C:\Program Files\Nightly\xul.dll Symbol Type: PDB - Symbols loaded successfully from image path. z:\export\symbols\xul.pdb\A83D4058E28E4EBFA9BAE1FE6EDD1A282\xul.pdb Compiler: Linker - front end [0.0 bld 0] - back end [12.0 bld 30723] Load Report: private symbols & lines, source indexed z:\export\symbols\xul.pdb\A83D4058E28E4EBFA9BAE1FE6EDD1A282\xul.pdb 0:000> lmvm xul start end module name 5b660000 5de04000 xul (private pdb symbols) z:\export\symbols\xul.pdb\A83D4058E28E4EBFA9BAE1FE6EDD1A282\xul.pdb Loaded symbol image file: C:\Program Files\Nightly\xul.dll Image path: C:\Program Files\Nightly\xul.dll Image name: xul.dll Timestamp: Wed Jan 20 07:18:57 2016 (569FA561) CheckSum: 026FE897 ImageSize: 027A4000 File version: 46.0.0.5863 Product version: 46.0.0.5863 File flags: 2 (Mask 3F) Pre-release File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0000.04b0 CompanyName: Mozilla Foundation ProductName: Nightly InternalName: Nightly OriginalFilename: xul.dll ProductVersion: 46.0a1 FileVersion: 46.0a1 FileDescription: 46.0a1 LegalCopyright: License: MPL 2 LegalTrademarks: Mozilla Comments: Mozilla 0:000> vertarget Windows 8 Version 9600 UP Free x86 compatible Product: WinNt, suite: SingleUserTS kernel32.dll version: 6.3.9600.17415 (winblue_r4.141028-1500) Machine Name: Debug session time: Thu Jan 21 13:03:26.371 2016 (UTC - 8:00) System Uptime: 0 days 0:32:05.185 Process Uptime: 0 days 0:02:42.905 Kernel time: 0 days 0:00:00.796 User time: 0 days 0:00:02.375 ``` And without the spray: ``` (9d4.77c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=ffffffff ecx=16f58efc edx=00000002 esi=179ab8b0 edi=0d363060 eip=5beda4da esp=00fad058 ebp=00fad06c iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216 xul!nsHtml5TreeBuilder::endTag+0x3e9613: 5beda4da 83780c03 cmp dword ptr [eax+0Ch],3 ds:0023:0000000c=???????? 0:000> dc @ecx 16f58efc 00000000 1101d100 1a19eb20 1a19ed00 ........ ....... 16f58f0c 1a19ece0 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 16f58f1c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 16f58f2c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 16f58f3c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 16f58f4c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 16f58f5c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ 16f58f6c e5e5e5e5 e5e5e5e5 e5e5e5e5 e5e5e5e5 ................ ``` -- CREDIT --------------------------------------- This vulnerability was discovered by: ca0nguyen working with HP's Zero Day Initiative -- FURTHER DETAILS ------------------------------ If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number. Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up the the deadline please coordinate with us so that we may release our advisory detailing the issue. If the 120 day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time: Zero Day Initiative zdi-disclosures@hpe.com The PGP key used for all ZDI vendor communications is available from: http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc -- INFORMATION ABOUT THE ZDI --------------------- Established by TippingPoint and acquired by Hewlett-Packard, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. The ZDI is unique in how the acquired vulnerability information is used. The ZDI does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its HP TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. http://www.zerodayinitiative.com -- DISCLOSURE POLICY ---------------------------- Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/
sec-critical because EAX is controlled, and UAF because the E5E5E5E5 memory indicates a jemalloc-freed chunk. Testing this in an ASAN build would detect when this chunk was freed which is likely closer to the bug than the part where it crashed.
Keywords: csectype-uaf, sec-critical
Attachment #8716110 - Attachment description: Testcase from email → Testcase from email (crashes)
On Mac, in Dev Edition (Firefox 46), I'm getting something that looks more like a null deref bp-06b8413c-119e-4088-8835-194ee2160205 Platform difference? Or something changed since the older version. Will test that next.
Same on Release (Firefox 44) and ESR 38.5.2: bp-73113e06-fe51-42d0-bb39-007fc2160205 Guess we need to try Windows and ASAN.
Could be the heap spray just isn't big enough to work on a 64-bit build. That could obviously be adjusted by the attacker.
Hmm, we are crashing in the generated code.
Whiteboard: dom-triaged
Henri, could you take a look at this?
Flags: needinfo?(hsivonen)
(In reply to Olli Pettay [:smaug] (high review load) from comment #7) > Henri, could you take a look at this? OK.
Assignee: nobody → hsivonen
Flags: needinfo?(hsivonen)
The good news is that, as expected, this bug reproduces in Java, so I'll debug it there.
Attached patch Java patchSplinter Review
The template implementation performed "clear the stack back to a table row context" incorrectly, because it assumed that the root of the stack always has the dispatch group HTML, but that's not the case when parsing with a foreign fragment context. (In this case, the dispatch group at stack[0] was SVG.)
Attachment #8716877 - Flags: review?(wchen)
Attached patch Gecko patchSplinter Review
Attachment #8716878 - Flags: review?(wchen)
Comment on attachment 8716875 [details] Test case in html5lib format The test case in html5lib format should be contributed to https://github.com/html5lib/html5lib-tests/ when it's time to disclose the test and pulled into our unit tests by syncing our copy with the upstream. When it's time to disclose the test case, would ca0nguyen wish to contribute it to html5lib-test themself or should I create a PR crediting ca0nguyen and ZDI? (I hope ZDI is OK with contributing the test to html5lib-tests.)
Attachment #8716877 - Flags: review?(wchen) → review+
Attachment #8716878 - Flags: review?(wchen) → review+
Comment on attachment 8716878 [details] [diff] [review] Gecko patch [Security approval request comment] > How easily could an exploit be constructed based on the patch? Given the knowledge that this is a security fix (which can be concluded from the checkin comment containing just the number of a restricted bug), it is trivial to conclude that the starting point of the exploit is innerHTML invoked on <svg> or <math> with <template> in the assigned string and some table-related stuff inside the template. An attacker with any attention span at all will then be able to figure out the rest to find the exploitable condition. We should then expect the ease of actual exploit to be similar to out-of-bounds memory access in general. > Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No, there are none. (The test case is to be landed later.) > Which older supported branches are affected by this flaw? All supported branches. > If not all supported branches, which bug introduced the flaw? (The bug was introduced by bug 818976 in Gecko 22.) > Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The same fix applies. > How likely is this patch to cause regressions; how much testing does it need? About as unlikely to regress anything else as possible. Please also indicate whether the Java repo patch should land at a different time and please indicate when it's appropriate to share the test case with all vendors via the html5lib-tests repo.
Attachment #8716878 - Flags: sec-approval?
> Please also indicate whether the Java repo patch should land at a different time This was a silly question to ask. It has to land to the Java repo at the same time to avoid accidentally overwriting the fix in Gecko later.
sec-approval+. Please nominate patches for Aurora, Beta, and ESR38 as well.
status-firefox44: --- → wontfix
status-firefox45: --- → affected
status-firefox46: --- → affected
status-firefox47: --- → affected
status-firefox-esr38: --- → affected
status-firefox-esr45: --- → affected
tracking-firefox45: --- → +
tracking-firefox46: --- → +
tracking-firefox47: --- → +
tracking-firefox-esr38: --- → 45+
Attachment #8716878 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/dfeebfdf8d96
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox47: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Comment on attachment 8716878 [details] [diff] [review] Gecko patch > [Approval Request Comment] > If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-critical > User impact if declined: Security risk. > Fix Landed on Version: 47 > Risk to taking this patch (and alternatives if risky): Extremely low risk. > String or UUID changes made by this patch: None. > See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info. > Approval Request Comment >[Feature/regressing bug #]: bug 818976 > [User impact if declined]: Security risk. > [Describe test coverage new/current, TreeHerder]: Test not landed due to security sensitivity. > [Risks and why]: Extremely low risk, because this changed a check for the item at the start of an array from a sentinel check to an index-zero check. > [String/UUID change made/needed]: None.
Attachment #8716878 - Flags: approval-mozilla-esr38?
Attachment #8716878 - Flags: approval-mozilla-beta?
Attachment #8716878 - Flags: approval-mozilla-aurora?
Comment on attachment 8716878 [details] [diff] [review] Gecko patch Fix a sec critical issue. Should be in 45 beta 5.
Attachment #8716878 - Flags: approval-mozilla-esr38?
Attachment #8716878 - Flags: approval-mozilla-esr38+
Attachment #8716878 - Flags: approval-mozilla-beta?
Attachment #8716878 - Flags: approval-mozilla-beta+
Attachment #8716878 - Flags: approval-mozilla-aurora?
Attachment #8716878 - Flags: approval-mozilla-aurora+
Blocks: 818976
Group: dom-core-security → core-security-release
Hi Wes, we also need to uplift the patch to ESR38. Thanks!
Flags: needinfo?(wkocher)
Whiteboard: dom-triaged → [adv-main45+][adv-esr38.7+] dom-triaged
Alias: CVE-2016-1960
Reproduced the crash with "Nightly has stopped working" message using 47.0a1 Nightly debug builds under Win 7 64-bit and Ubuntu 14.04 64-bit. The crash no longer occurs with Firefox 45.0 2016-03-01, Nightly 47.0a1 2016-03-02 and 45.0esr builds. 38.6.1esr build is also not affected by the crash, but it is instead crashing at shutdown. There are no crash reports in about:crashes. I'm marking these versions as verified.
Status: RESOLVED → VERIFIED
status-firefox45: fixedverified
status-firefox47: fixedverified
status-firefox-esr38: fixedverified
status-firefox-esr45: fixedverified
Keywords: regression
Flags: in-testsuite?
Version: unspecified → 22 Branch
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: