Closed
Bug 1379797
Opened 7 years ago
Closed 7 years ago
Write near null [@ GetEditCommandsRemapped]
Categories
(Core :: Widget: Gtk, defect)
Core
Widget: Gtk
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | wontfix |
firefox56 | --- | fixed |
People
(Reporter: truber, Assigned: masayuki)
Details
(Keywords: crash, csectype-nullptr, testcase, Whiteboard: [sg:dos])
Attachments
(2 files)
343 bytes,
text/html
|
Details | |
1.69 KB,
patch
|
karlt
:
review+
|
Details | Diff | Splinter Review |
The attached testcase causes a crash near null in m-c rev 91c943f73737. The fuzzPriv extension is required, and can be obtained from https://github.com/MozillaSecurity/domfuzz . (run make in dom/extension to build .xpi) ==23345==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f1154521c10 bp 0x7ffcdbdc0480 sp 0x7ffcdbdc0100 T0) ==23345==The signal is caused by a WRITE memory access. ==23345==Hint: address points to the zero page. #0 0x7f1154521c0f in GetEditCommandsRemapped /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:6236:70 #1 0x7f1154521c0f in nsWindow::GetEditCommands(nsIWidget::NativeKeyBindingsType, mozilla::WidgetKeyboardEvent const&, nsTArray<signed char>&) /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:6294 #2 0x7f11544b7f50 in InitEditCommandsFor /home/worker/workspace/build/src/widget/WidgetEventImpl.cpp:643:12 #3 0x7f11544b7f50 in mozilla::WidgetKeyboardEvent::ExecuteEditCommands(nsIWidget::NativeKeyBindingsType, void (*)(mozilla::Command, void*), void*) /home/worker/workspace/build/src/widget/WidgetEventImpl.cpp:664 #4 0x7f115462ba17 in mozilla::EditorEventListener::KeyPress(mozilla::WidgetKeyboardEvent*) /home/worker/workspace/build/src/editor/libeditor/EditorEventListener.cpp:637:23 #5 0x7f1154629156 in mozilla::EditorEventListener::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/editor/libeditor/EditorEventListener.cpp:419:14 #6 0x7f1152a76ba9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1141:51 #7 0x7f1152a78b3f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager. cpp:1311:20 #8 0x7f1152a58dfa in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/works pace/build/src/dom/events/EventDispatcher.cpp:488:14 #9 0x7f1152a591ac in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/works pace/build/src/dom/events/EventDispatcher.cpp:517:5 #10 0x7f1152a5c002 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspa ce/build/src/dom/events/EventDispatcher.cpp:824:9 #11 0x7f1152a2b3ba in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:893:12 #12 0x7f1150da28f1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1345:5 #13 0x7f1152a843e4 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/events/EventTarget.cpp:80:9 #14 0x7f1152206002 in mozilla::dom::EventTargetBinding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBindi ng.cpp:974:21 #15 0x7f1152203430 in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:1150:13 #16 0x7f1158bc4224 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
Updated•7 years ago
|
Group: core-security → dom-core-security
Updated•7 years ago
|
Keywords: csectype-nullptr
Whiteboard: [sg:dos]
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Assignee | ||
Updated•7 years ago
|
Component: Editor → Widget: Gtk
Assignee | ||
Comment 1•7 years ago
|
||
This is just a nullptr access crash. And caused only with a KeyboardEvent which is created by chrome script. In NativeKeyBindings::GetEditCommands(), this is checked, but not so in nsWindow::GetEditCommandsRemapped(). So, I think that this is not available as security-hole.
Attachment #8888634 -
Flags: review?(karlt)
Updated•7 years ago
|
Attachment #8888634 -
Flags: review?(karlt) → review+
Assignee | ||
Comment 2•7 years ago
|
||
Can I land the patch? I guess that this is sec-moderate or less than it because this crash is caused by keyboard events created by chrome script.
Flags: needinfo?(dveditz)
Reporter | ||
Comment 3•7 years ago
|
||
Sorry, I don't think this should have been marked sec.
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Jesse Schwartzentruber (:truber) from comment #3) > Sorry, I don't think this should have been marked sec. Yeah, I agree. But security team should confirm it... Oh, and dveditz is PTO until August, I'm adding ni? to other security team members... abillings: Could you moderate this bug? It writes a member of class referred with nullptr. This can occur only when chrome script create keyboard events and dispatch them into <input>, <textarea>, <foo contenteditable> or designMode document.
Flags: needinfo?(abillings)
Updated•7 years ago
|
Flags: needinfo?(abillings)
Assignee | ||
Comment 7•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e5cbd17779363c4986f747fe11f5845de3ee9610 Bug 1379797 - nsWindow::GetEditCommandsRemapped() should do nothing if given event wasn't created with a native event r=karlt
Comment 8•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/e5cbd1777936
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Comment 9•7 years ago
|
||
Regression from bug 1339543 I guess? Either way, too late for 55 given that the RC is coming on Monday.
status-firefox54:
--- → unaffected
status-firefox55:
--- → wontfix
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•