Closed Bug 1413741 Opened 2 years ago Closed 2 years ago

Crash - XHR - Null Pointer Write in XMLHttpRequestWorker::Open()

Categories

(Core :: DOM: Workers, defect, P2)

58 Branch
defect

Tracking

()

VERIFIED FIXED
mozilla59
Tracking Status
firefox-esr52 --- verified
firefox57 --- wontfix
firefox58 --- verified
firefox59 --- verified

People

(Reporter: loobenyang, Assigned: baku)

References

Details

(4 keywords, Whiteboard: [adv-main58+][adv-esr52.6+][post-critsmash-triage])

Attachments

(2 files)

Attached file NullPtr_Open_Repro.js
Reproduction test case (whole server code in attached file NullPtr_Open_Reprojs):

	Worker code:
		var bc0 = new BroadcastChannel("test_channel");
		bc0.onmessage = function listener1(event) {
		 xmlReq0.open("get", "NonExistFile.js", true);
		 xmlReq0.send(); 
		}
		setInterval(function(){ xmlReq0.open("get", "NonExistFile2.js", true);}, 25);
		var xmlReq0 = new XMLHttpRequest();
		xmlReq0.responseType = "blob";
		
Steps to reproduce: 
	1. Run server side script NullPtr_Open_Repro.js with Node.js (node NullPtr_Open_Repro.js).
	2. Enter http://localhost:12345 in Firefox browser.

Firefox version: 58.0a1 (2017-11-01) (32-bit)
OS: Windows 10

Stack trace:


	(5fd8.941c): Access violation - code c0000005 (!!! second chance !!!)
	eax=00000000 ebx=1723d918 ecx=805303fa edx=0000000b esi=18ccaa00 edi=189d5a20
	eip=10f2d0b0 esp=1723d898 ebp=1723d8a8 iopl=0         nv up ei pl nz na po nc
	cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
	xul!mozilla::dom::XMLHttpRequestWorker::Open+0x53d861:
	10f2d0b0 ff4834          dec     dword ptr [eax+34h]  ds:002b:00000034=????????
	3:214> !analyze -v
	*******************************************************************************
	*                                                                             *
	*                        Exception Analysis                                   *
	*                                                                             *
	*******************************************************************************


	FAULTING_IP: 
	xul!mozilla::dom::XMLHttpRequestWorker::Open+53d861 [z:\build\build\src\dom\xhr\xmlhttprequestworker.cpp @ 1898]
	10f2d0b0 ff4834          dec     dword ptr [eax+34h]

	EXCEPTION_RECORD:  (.exr -1)
	ExceptionAddress: 10f2d0b0 (xul!mozilla::dom::XMLHttpRequestWorker::Open+0x0053d861)
	   ExceptionCode: c0000005 (Access violation)
	  ExceptionFlags: 00000000
	NumberParameters: 2
	   Parameter[0]: 00000001
	   Parameter[1]: 00000034
	Attempt to write to address 00000034

	FAULTING_THREAD:  0000941c

	DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_WRITE

	PROCESS_NAME:  firefox.exe

	ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

	EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

	EXCEPTION_PARAMETER1:  00000001

	EXCEPTION_PARAMETER2:  00000034

	WRITE_ADDRESS:  00000034 

	FOLLOWUP_IP: 
	xul!mozilla::dom::XMLHttpRequestWorker::Open+53d861 [z:\build\build\src\dom\xhr\xmlhttprequestworker.cpp @ 1898]
	10f2d0b0 ff4834          dec     dword ptr [eax+34h]

	BUGCHECK_STR:  NULL_CLASS_PTR_WRITE

	NTGLOBALFLAG:  400

	APPLICATION_VERIFIER_FLAGS:  0

	APP:  firefox.exe

	ANALYSIS_VERSION: 10.0.10240.9 x86fre

	LAST_CONTROL_TRANSFER:  from 109ef849 to 10f2d0b0

	STACK_TEXT:  
	1723d8a8 109ef849 1723d8f8 1723d9b8 1723db01 xul!mozilla::dom::XMLHttpRequestWorker::Open+0x53d861
	1723d8d0 10aac1cf 1723d8f8 1723d9b8 1723db01 xul!mozilla::dom::XMLHttpRequestWorker::Open+0x2a
	1723dae0 108869ce 18daa800 1723db28 18ccaa00 xul!mozilla::dom::XMLHttpRequestBinding::open+0x26d
	1723db3c 354b84b3 18daa800 00000003 1723db68 xul!mozilla::dom::GenericBindingMethod+0xec
	WARNING: Frame IP not in any known module. Following frames may be wrong.
	1723db94 354b8277 00005021 00000001 ffffff84 0x354b84b3
	1723dbec 354b08ff 00002443 1902fe40 00000001 0x354b8277
	1723dc28 107a4fa9 354b8150 00000002 1723e130 0x354b08ff
	1723ded8 107a4d84 354b8150 18daa800 00000000 xul!EnterJit+0x114
	1723df04 10df0559 1723e03c 1723e03c 1723e03c xul!js::jit::MaybeEnterJit+0x24
	1723dfb0 1065ee54 18daa800 1723e030 1902d040 xul!js::RunScript+0x219
	1723e04c 107efa2e 00000000 50532af0 18daa800 xul!js::InternalCallOrConstruct+0x1e4
	1723e06c 107a76e7 1723e1d8 1723e280 1723e1b8 xul!js::Call+0x8b
	1723e17c 1078e853 1723e280 1723e1d8 1723e1b8 xul!JS::Call+0xf7
	1723e254 1078e715 18daa800 1723e280 18cf6040 xul!mozilla::dom::EventHandlerNonNull::Call+0x108
	1723e364 1078e5f9 18c93428 18cf6040 1723e3d0 xul!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>+0xb8
	1723e4d0 1078e981 18c93420 18cf6040 189d59b0 xul!mozilla::JSEventHandler::HandleEvent+0xea
	1723e5f4 1064a829 189f3838 18cf6040 189f35e0 xul!mozilla::EventListenerManager::HandleEventSubType+0xbc
	1723e7e4 1064a1d8 00000000 189d59b0 1723e8e0 xul!mozilla::EventListenerManager::HandleEventInternal+0x519
	1723e838 10648522 00000000 1723e8d0 189d59b0 xul!mozilla::EventTargetChainItem::HandleEventTargetChain+0x6b8
	1723e98c 106f31fe 189d59b0 18cf6040 1723e9d8 xul!mozilla::EventDispatcher::Dispatch+0x6e2
	1723e9c4 106f318c 18cf6040 00000000 1723e9d8 xul!mozilla::EventDispatcher::DispatchDOMEvent+0x5d
	1723e9dc 11d4fbb0 189f35e0 18cf6040 1723ea0f xul!mozilla::DOMEventTargetHelper::DispatchEvent+0x1b
	1723eb30 112ef7f8 1723eb4f 1723eb84 1745a530 xul!mozilla::dom::BroadcastChannelChild::RecvNotify+0x236
	1723ebd4 10ba9198 1745a530 1745a530 18cc00bc xul!mozilla::dom::PBroadcastChannelChild::OnMessageReceived+0x1bb
	1723ed60 10861fea 1745a530 1745a500 18cc00bc xul!mozilla::ipc::PBackgroundChild::OnMessageReceived+0x48
	1723ed7c 10861205 0045a530 1745a530 18cc00bc xul!mozilla::ipc::MessageChannel::DispatchAsyncMessage+0x6f
	1723eddc 10860914 1745a530 1745a500 18cde250 xul!mozilla::ipc::MessageChannel::DispatchMessageW+0x13b
	1723edfc 10860853 1745a500 00000000 08d4e7e0 xul!mozilla::ipc::MessageChannel::RunMessage+0xb0
	1723ee14 10645b07 1745a500 18cba000 189c3000 xul!mozilla::ipc::MessageChannel::MessageTask::Run+0x5d
	1723f37c 10819de4 08d4e7e0 189c3000 1723f397 xul!nsThread::ProcessNextEvent+0x367
	1723f398 10819884 18ccd7c0 18daa800 08d4e7e0 xul!NS_ProcessNextEvent+0x1a
	1723f414 10b12677 18daa800 00000000 08d4e7e0 xul!mozilla::dom::workers::WorkerPrivate::DoRunLoop+0xff
	1723f5cc 10645b07 18ccd7c0 08eacab0 1723fb01 xul!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run+0x115
	1723fb30 10819de4 08d4e7e0 1723fb01 1723fb4b xul!nsThread::ProcessNextEvent+0x367
	1723fb4c 10819d9d 08eacab0 08eacab0 00000000 xul!NS_ProcessNextEvent+0x1a
	1723fb68 107b7a7e 00eacab0 da595569 08d4e7e0 xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xc0
	1723fba0 107b7a3e 08eacab0 00000001 00000000 xul!MessageLoop::RunHandler+0x1f
	1723fbc0 107b7195 76b66870 158ea4b0 158ea560 xul!MessageLoop::Run+0x19
	1723fbe4 0f81b1a9 006fd880 0f94b870 0f810bf5 xul!nsThread::ThreadFunc+0xc0
	1723fc04 0f810c02 158ea4b0 1723fc4c 73d6e89f nss3!_PR_NativeRunThread+0xcc
	1723fc10 73d6e89f 158ea4b0 bad3a841 73d6e860 nss3!pr_root+0xd
	1723fc4c 76b68744 0f94b870 00000000 bf8da4ce ucrtbase!thread_start<unsigned int (__stdcall*)(void *)>+0x3f
	1723fc60 5053c542 0f94b870 73d6e860 76b68720 KERNEL32!BaseThreadInitThunk+0x24
	1723fc74 76f4582d 0f94b870 bfcd2ad7 00000000 mozglue!patched_BaseThreadInitThunk+0x27
	1723fcbc 76f457fd ffffffff 76f66398 00000000 ntdll!__RtlUserThreadStart+0x2f
	1723fccc 00000000 73d6e860 0f94b870 00000000 ntdll!_RtlUserThreadStart+0x1b


	FAULTING_SOURCE_LINE:  z:\build\build\src\dom\xhr\xmlhttprequestworker.cpp

	FAULTING_SOURCE_FILE:  z:\build\build\src\dom\xhr\xmlhttprequestworker.cpp

	FAULTING_SOURCE_LINE_NUMBER:  1898

	FAULTING_SOURCE_CODE:  
	  1894: 
	  1895:   ++mProxy->mOpenCount;
	  1896:   runnable->Dispatch(Terminating, aRv);
	  1897:   if (aRv.Failed()) {
	> 1898:     if (!--mProxy->mOpenCount) {
	  1899:       ReleaseProxy();
	  1900:     }
	  1901: 
	  1902:     return;
	  1903:   }


	SYMBOL_STACK_INDEX:  0

	SYMBOL_NAME:  xul!mozilla::dom::XMLHttpRequestWorker::Open+53d861

	FOLLOWUP_NAME:  MachineOwner

	MODULE_NAME: xul

	IMAGE_NAME:  xul.dll

	DEBUG_FLR_IMAGE_TIMESTAMP:  59f9bad2

	STACK_COMMAND:  ~214s ; kb

	FAILURE_BUCKET_ID:  NULL_CLASS_PTR_WRITE_c0000005_xul.dll!mozilla::dom::XMLHttpRequestWorker::Open

	BUCKET_ID:  NULL_CLASS_PTR_WRITE_xul!mozilla::dom::XMLHttpRequestWorker::Open+53d861

	PRIMARY_PROBLEM_CLASS:  NULL_CLASS_PTR_WRITE_xul!mozilla::dom::XMLHttpRequestWorker::Open+53d861

	FAILURE_PROBLEM_CLASS:  NULL_CLASS_PTR_WRITE

	FAILURE_EXCEPTION_CODE:  c0000005

	FAILURE_IMAGE_NAME:  xul.dll

	FAILURE_FUNCTION_NAME:  mozilla::dom::XMLHttpRequestWorker::Open

	FAILURE_SYMBOL_NAME:  xul.dll!mozilla::dom::XMLHttpRequestWorker::Open

	ANALYSIS_SOURCE:  UM

	FAILURE_ID_HASH_STRING:  um:null_class_ptr_write_c0000005_xul.dll!mozilla::dom::xmlhttprequestworker::open

	FAILURE_ID_HASH:  {0271159d-aea1-9195-f19f-2be8a2715c11}

	Followup:     MachineOwner
	---------
baku, is this a security bug? I've potentially marked it as such. Please see how big of a deal this is.
Assignee: nobody → amarchesini
Group: dom-core-security
Priority: -- → P2
Flags: needinfo?(amarchesini)
Attached patch xhr_crash.patchSplinter Review
OpenRunnable is a sync runnable. Note that we have already a similar fix a couple of lines after this if stmt. " // We have been released in one of the nested Open() calls."...

This mProxy null check must be added in case aRv failed.
Flags: needinfo?(amarchesini)
Attachment #8927262 - Flags: review+
Comment on attachment 8927262 [details] [diff] [review]
xhr_crash.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

This is a simply UAF.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No comment yet :) I want to write something like: "Improve the mProxy use after the sync OpenRunnable"

Which older supported branches are affected by this flaw?

all.

If not all supported branches, which bug introduced the flaw?

Sync runnables in workers. Old stuff.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

It should be easy to port to all the branches.

How likely is this patch to cause regressions; how much testing does it need?

none. Just a security check as we do in the following if() stmt.
Attachment #8927262 - Flags: sec-approval?
Comment on attachment 8927262 [details] [diff] [review]
xhr_crash.patch

Clearing sec-approval since this is a sec-low now. Land away.
Attachment #8927262 - Flags: sec-approval?
https://hg.mozilla.org/mozilla-central/rev/063022b93ec4
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Group: dom-core-security → core-security-release
Doesn't seem worth backporting to ESR52 if it's only a sec-low. But please do nominate it for Beta approval :)
Flags: needinfo?(amarchesini)
Comment on attachment 8927262 [details] [diff] [review]
xhr_crash.patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: XHR can crash.
Fix Landed on Version: 59
Risk to taking this patch (and alternatives if risky): low. Just a simple null check.
String or UUID changes made by this patch: none

This patch is nice to have in 52. We _must_ have it in beta.
Flags: needinfo?(amarchesini)
Attachment #8927262 - Flags: approval-mozilla-esr52?
Attachment #8927262 - Flags: approval-mozilla-beta?
Comment on attachment 8927262 [details] [diff] [review]
xhr_crash.patch

It's a simple null check. Should be low-risk. Beta52+ & ESR52+.
Attachment #8927262 - Flags: approval-mozilla-esr52?
Attachment #8927262 - Flags: approval-mozilla-esr52+
Attachment #8927262 - Flags: approval-mozilla-beta?
Attachment #8927262 - Flags: approval-mozilla-beta+
Duplicate of this bug: 1426319
Whiteboard: [adv-main58+][adv-esr52.6+]
Alias: CVE-2018-5120
Whiteboard: [adv-main58+][adv-esr52.6+] → [adv-main58+][adv-esr52.6+][post-critsmash-triage]
Hello, 
I have reproduced this issue using Nightly 58.0a1 (20171101104430) and also verified the fix on the following builds using the STR in the description on Windows 10 x64.

- 58.0b16 win32
- 58.0 RC win 32
- 58.0 RC win 64
- 59.0a1 win 32 (20180121100439)
- 59.0a1 win 64 (20180121100439)
- ESR 52.6 win 32
- ESR 52.6 win 64

Please let me know if I can help any further.
Alias: CVE-2018-5120
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.