Closed Bug 1338277 Opened 7 years ago Closed 7 years ago

NULL deref [@ txExpandedNameMap_base::removeItem]

Categories

(Core :: XSLT, defect)

Product:
Core
Component:
XSLT
Version:
6 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr45 --- wontfix
firefox51 + wontfix
firefox52 + wontfix
firefox-esr52 --- wontfix
firefox53 + wontfix
firefox54 + wontfix
firefox55 --- fixed

People

(Reporter: tsmith, Assigned: peterv)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [adv-main55-][post-critsmash-triage])

Crash Data

Attachments

(3 files)

log.txt
8.15 KB, text/plain
Details
test_case.html
793 bytes, text/html
Details
Branch patch v1
2.31 KB, patch
erahm
: review+
Details | Diff | Splinter Review
Attached file log.txt 
Marking as s-s for now. There have been some UAFs found in XSLT recently and we just got a fuzzer up and running.

==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f14bde55996 bp 0x7fff2b029dc0 sp 0x7fff2b029d90 T0)
    #0 0x7f14bde55995 in Hdr /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:642:32
    #1 0x7f14bde55995 in Elements /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1150
    #2 0x7f14bde55995 in IndexOf<txExpandedName, txMapItemComparator> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1273
    #3 0x7f14bde55995 in txExpandedNameMap_base::removeItem(txExpandedName const&) /home/worker/workspace/build/src/dom/xslt/base/txExpandedNameMap.cpp:97
    #4 0x7f14bdec1859 in remove /home/worker/workspace/build/src/dom/xslt/base/txExpandedNameMap.h:126:20
    #5 0x7f14bdec1859 in removeVariable /home/worker/workspace/build/src/dom/xslt/xslt/txVariableMap.h:74
    #6 0x7f14bdec1859 in removeVariable /home/worker/workspace/build/src/dom/xslt/xslt/txExecutionState.cpp:518
    #7 0x7f14bdec1859 in txRemoveVariable::execute(txExecutionState&) /home/worker/workspace/build/src/dom/xslt/xslt/txInstructions.cpp:737
    #8 0x7f14bdf1c23d in txXSLTProcessor::execute(txExecutionState&) /home/worker/workspace/build/src/dom/xslt/xslt/txXSLTProcessor.cpp:49:14
    #9 0x7f14bdee5108 in txMozillaXSLTProcessor::TransformToDoc(nsIDOMDocument**, bool) /home/worker/workspace/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:676:14
    #10 0x7f14bdeeb2ab in TransformToDocument /home/worker/workspace/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:645:12
...
see log.txt
Attached file test_case.html 

    
    

    
  
The obvious null check here isn't enough, since other scarier looking crashes happen with that.
peterv and pike might remember some of this code.

    
    

    
  
Should the sec-rating be changed?
Blocks: grizzly

    
    

    
  
Also Jonas. I have to admit, I don't even recall what all those xslt stylesheet things are supposed to do in theory, let alone the code that implements them.

    
    

    
  
Here's a stack from a current nightly:
https://crash-stats.mozilla.com/report/index/8c54dcfb-faa6-43b1-9556-c4f622170210
Crash Signature: [@ nsTArray_Impl<T>::IndexOf<T> | txExpandedNameMap_base::removeItem ]

    
    

    
  
Bindings stuff on the stack just means "yeah, we got called from JS"....

This is a crash in the guts of the XSLT stuff, not really bindings related per se.  Looking in that range, we have changes to XSLT code from bug 1191645.  But I don't think we're doing any actual URL-fetch stylesheet loading that would have been affected by that.

It also looks like on current Mac I can't run those year-old nightlies at all.  They crash on startup.  :(

    
    

    
  
Not caused.  Testcase just uses "let" in a non-strict no-version script, so ends up throwing errors before that changeset.  Change the "let" to "var" in the testcase and I expect you will reproduce with earlier builds....
No longer blocks: 932517

    
    

    
  
Well, that was a fun night of slow builds down the drain.

New regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c3c4c902e9cd&tochange=31879b88cc82
Version: 44 Branch → 6 Branch

    
    

    
  
This is probably related to the issue I mentioned in bug 1336832 comment 7, we need to propagate errors from matching instead of blindly continuing executing. In this case we try to call txExecutionState::removeVariable even though we skipped txExecutionState::bindVariable due to a matching error.

    
  
Assignee: nobody → peterv
Status: NEW → ASSIGNED

    
    

    
  
Looks like a wontfix for 52 as well now.

          status-firefox51:
          affectedwontfix

          status-firefox52:
          affectedwontfix

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Branch patch v1Splinter Review
      

    


  
This is a spot fix we should take on branches, the underlying issue would be fixed by the trunk patch in bug 1336828.

        Attachment #8840869 -
        Flags: review?(erahm)

    
    

    
  
Comment on attachment 8840869 [details] [diff] [review]
Branch patch v1

Review of attachment 8840869 [details] [diff] [review]:
-----------------------------------------------------------------

r=me

        Attachment #8840869 -
        Flags: review?(erahm) → review+

    
    

    
  
Comment on attachment 8840869 [details] [diff] [review]
Branch patch v1

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Not easily I think.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

The testcase does.

Which older supported branches are affected by this flaw?

All.

If not all supported branches, which bug introduced the flaw?

All branches are affected.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Should just apply to branches.

How likely is this patch to cause regressions; how much testing does it need?

Shouldn't cause regressions, it just adds a null-check before dereferencing a pointer.

Note that this is a lower-risk patch intended for branches. I have a different, much bigger change for trunk (in bug 1336828). Please let me know if it's ok to not land the branch patch on trunk, otherwise we could land this on trunk too, and then backout and land the riskier change from bug 1336828 only on trunk.

        Attachment #8840869 -
        Flags: sec-approval?

    
    

    
  
Comment on attachment 8840869 [details] [diff] [review]
Branch patch v1

Sec-approval is only necessary for sec-high and sec-critical rated issues that affect more than trunk. Since this is not high or critical, I'm clearing. You can just check in.

        Attachment #8840869 -
        Flags: sec-approval?

    
  
Blocks: 1349717

    
    

    
  
I think we should just fix this with the patch from bug 1349717. After annotating the asserts the testcase still leaks too with just this patch.
Flags: needinfo?(peterv)

    
    

    
  
Per comment 23.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago

          status-firefox53:
          affectedwontfix

          status-firefox54:
          affectedwontfix

          status-firefox55:
          --- → fixed

          status-firefox-esr45:
          affectedwontfix

          status-firefox-esr52:
          affectedwontfix

          tracking-firefox-esr45:
          ? → ---

          tracking-firefox-esr52:
          ? → ---
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Group: dom-core-security → core-security-release
Whiteboard: [adv-main55-]
Flags: qe-verify-
Whiteboard: [adv-main55-] → [adv-main55-][post-critsmash-triage]
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: