Closed Bug 1379797 Opened 7 years ago Closed 7 years ago

Write near null [@ GetEditCommandsRemapped]

Categories

(Core :: Widget: Gtk, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 --- wontfix
firefox56 --- fixed

People

(Reporter: truber, Assigned: masayuki)

Details

(Keywords: crash, csectype-nullptr, testcase, Whiteboard: [sg:dos])

Attachments

(2 files)

Attached file testcase.html
The attached testcase causes a crash near null in m-c rev 91c943f73737.

The fuzzPriv extension is required, and can be obtained from https://github.com/MozillaSecurity/domfuzz . (run make in dom/extension to build .xpi)

==23345==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f1154521c10 bp 0x7ffcdbdc0480 sp 0x7ffcdbdc0100 T0)
==23345==The signal is caused by a WRITE memory access.
==23345==Hint: address points to the zero page.
    #0 0x7f1154521c0f in GetEditCommandsRemapped /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:6236:70
    #1 0x7f1154521c0f in nsWindow::GetEditCommands(nsIWidget::NativeKeyBindingsType, mozilla::WidgetKeyboardEvent const&, nsTArray<signed char>&) /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:6294
    #2 0x7f11544b7f50 in InitEditCommandsFor /home/worker/workspace/build/src/widget/WidgetEventImpl.cpp:643:12
    #3 0x7f11544b7f50 in mozilla::WidgetKeyboardEvent::ExecuteEditCommands(nsIWidget::NativeKeyBindingsType, void (*)(mozilla::Command, void*), void*) /home/worker/workspace/build/src/widget/WidgetEventImpl.cpp:664
    #4 0x7f115462ba17 in mozilla::EditorEventListener::KeyPress(mozilla::WidgetKeyboardEvent*) /home/worker/workspace/build/src/editor/libeditor/EditorEventListener.cpp:637:23
    #5 0x7f1154629156 in mozilla::EditorEventListener::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/editor/libeditor/EditorEventListener.cpp:419:14
    #6 0x7f1152a76ba9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1141:51
    #7 0x7f1152a78b3f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.
cpp:1311:20
    #8 0x7f1152a58dfa in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/works
pace/build/src/dom/events/EventDispatcher.cpp:488:14
    #9 0x7f1152a591ac in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/works
pace/build/src/dom/events/EventDispatcher.cpp:517:5
    #10 0x7f1152a5c002 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspa
ce/build/src/dom/events/EventDispatcher.cpp:824:9
    #11 0x7f1152a2b3ba in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:893:12
    #12 0x7f1150da28f1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1345:5
    #13 0x7f1152a843e4 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/events/EventTarget.cpp:80:9
    #14 0x7f1152206002 in mozilla::dom::EventTargetBinding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBindi
ng.cpp:974:21
    #15 0x7f1152203430 in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:1150:13
    #16 0x7f1158bc4224 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
Group: core-security → dom-core-security
Whiteboard: [sg:dos]
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Component: Editor → Widget: Gtk
This is just a nullptr access crash. And caused only with a KeyboardEvent which is created by chrome script.

In NativeKeyBindings::GetEditCommands(), this is checked, but not so in nsWindow::GetEditCommandsRemapped().

So, I think that this is not available as security-hole.
Attachment #8888634 - Flags: review?(karlt)
Attachment #8888634 - Flags: review?(karlt) → review+
Can I land the patch? I guess that this is sec-moderate or less than it because this crash is caused by keyboard events created by chrome script.
Flags: needinfo?(dveditz)
Sorry, I don't think this should have been marked sec.
(In reply to Jesse Schwartzentruber (:truber) from comment #3)
> Sorry, I don't think this should have been marked sec.

Yeah, I agree. But security team should confirm it...

Oh, and dveditz is PTO until August, I'm adding ni? to other security team members...

abillings:

Could you moderate this bug? It writes a member of class referred with nullptr. This can occur only when chrome script create keyboard events and dispatch them into <input>, <textarea>, <foo contenteditable> or designMode document.
Flags: needinfo?(abillings)
Opening this up. Feel free to land on trunk.
Group: dom-core-security
Flags: needinfo?(abillings)
Thank you, Al Billings!
Flags: needinfo?(dveditz)
https://hg.mozilla.org/integration/mozilla-inbound/rev/e5cbd17779363c4986f747fe11f5845de3ee9610
Bug 1379797 - nsWindow::GetEditCommandsRemapped() should do nothing if given event wasn't created with a native event r=karlt
https://hg.mozilla.org/mozilla-central/rev/e5cbd1777936
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Regression from bug 1339543 I guess? Either way, too late for 55 given that the RC is coming on Monday.
You need to log in before you can comment on or make changes to this bug.