Open Bug 1599681 Opened 5 years ago Updated 4 years ago

Textarea Memory Corruption Vulnerability

Categories

(Core :: DOM: Editor, defect, P3)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: wkexu, Unassigned)

Details

(Whiteboard: [disclosure deadline Feb 27, 2020])

Attachments

(1 file)

poc.zip
278.01 KB, application/x-zip-compressed
Details
Attached file poc.zip

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

Steps to reproduce:

  1. Open the PoC "poc.html" with Firefox
  2. Click "TriggerCrash" button

Actual results:

Mozilla Firefox Browser Crashed. And show "Gah. Your tab just crashed"

Crash Information:
4:032> g
(3b34.3e58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
xul!free_utf_tbl+0x11e1:
00007ffb89250f21 890c2500000000 mov dword ptr [0],ecx ds:0000000000000000=????????
4:032> g
(3b34.3e58): Access violation - code c0000005 (!!! second chance !!!)
xul!free_utf_tbl+0x11e1:
00007ffb89250f21 890c2500000000 mov dword ptr [0],ecx ds:0000000000000000=????????
4:032> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at xul!free_utf_tbl+0x00000000000011e1 (Hash=0x1b817764.0x5d243fcb)
User mode write access violations that are near NULL are unknown.
4:032> kv
# Child-SP RetAddr : Args to Child : Call Site
00 000000a4357fbbd0 00007ffb8988ae0d : 000331432a685f28 000000a4357fbc90 00002cfab21e60c6 00000000000000f4 : xul!free_utf_tbl+0x11e1
01 000000a4357fbc00 00007ffb89883e74 : 406e600000000000 00007ffbb60c31e0 0000000000000ac8 00007ffb9c3b9639 : xul!get_stored_pointer+0xa39dd
02 000000a4357fbc60 00007ffb89922feb : 000000a4357fbe58 00007ffb89b9aac6 000000a4357fbe58 00007ffb898bace8 : xul!get_stored_pointer+0x9ca44
03 000000a4357fbcf0 00007ffb8990fb4e : 000331423b24c500 0003314299174e80 ffffffffb6010000 01002cfab21e6686 : xul!get_stored_pointer+0x13bbbb
04 000000a4357fbd70 00007ffb89b6a0bf : 0000000000010000 00000000007d0006 0000000000000000 0000000080004005 : xul!get_stored_pointer+0x12871e
05 000000a4357fbdc0 00007ffb89b6a207 : 0000000000000000 0000000000000000 0000023052553c00 00007ffb8edda060 : xul!get_stored_pointer+0x382c8f
06 000000a4357fbe30 00007ffb8be0fca9 : 0000023053e0bc00 00007ffb8be11559 0000023054030b00 00007ffb8c0cfbf5 : xul!get_stored_pointer+0x382dd7
07 000000a4357fbf20 00007ffb8be148cb : 000002304c178988 0000023053e30800 000002304c137a60 00007ffb8e3b4660 : xul!mozilla_dump_image+0x1becdf9
08 000000a4357fbf80 00007ffb8bdf796f : 00007ffb8e2969d2 0002000100000000 0000000000000000 0000000000000000 : xul!mozilla_dump_image+0x1bf1a1b
09 000000a4357fbff0 00007ffb8b4c7b92 : 0000000000000000 0000023052553c00 00007ffb8edda060 0000023000000101 : xul!mozilla_dump_image+0x1bd4abf
0a 000000a4357fc030 00007ffb8b4cdbd2 : 000002304c1e8b38 00002cfab21e1b16 000002304c137a60 00000230203e7a00 : xul!mozilla_dump_image+0x12a4ce2

Expected results:

Output Textarea will show "FFFFFFFFF..."

The test case consists of two files. One of them is about 245MB of what appears to a JS file mostly consisting of a single gigantic string. I was able to load the test case on OSX without it crashing. I'm not sure what is going on with the stack shown at the end of comment 0, but from the information before that it looks like the crash might be happening in free_utf_tbl, so I'll move this to the spell checker component.

Assignee: moz_en-gb → nobody
Component: en-GB / English (United Kingdom) → Spelling checker
Product: Mozilla Localizations → Core
QA Contact: moz_en-gb
Group: core-security → dom-core-security
Whiteboard: [disclosure deadline Feb 27, 2020]

Tracking for 73 - the 73 release date is Feb. 11.

status-firefox73: --- → affected
tracking-firefox73: --- → +

Kexu: we need more information from you about your system. From the first comment I assume you're running 64bit Windows, but are you running a 64 or 32 bit version of Firefox? (It should be 64, but 32 would be significant if that's what you used).

How much memory does your machine have? We have not reproduced it but we may have beefier development machines than you're using.

When you got the "Gah" page did you submit the crash report to us? If so it will be more useful than just the stack you've pasted here (it would answer all the above questions, for a start). If you've submitted the crash, or if you can do so next time, you can find the link to the report on the page about:crashes. please paste it into this bug.

status-firefox73: affected → ---
tracking-firefox73: + → ---
Flags: needinfo?(wkexu)

I got it to crash in an ASan build but it took a few minutes.

Reproduced with m-c:
BuildID=20191202115917
SourceStamp=778b6b11194c072d2603e58118aaf6959e98902f

==26500==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f646950112c bp 0x7ffe178238d0 sp 0x7ffe17823800 T0)
==26500==The signal is caused by a WRITE memory access.
==26500==Hint: address points to the zero page.
    #0 0x7f646950112b in mozilla::ipc::ProcessLink::SendMessage(IPC::Message*) src/ipc/glue/MessageLink.cpp:151:5
    #1 0x7f64694e57d8 in mozilla::ipc::MessageChannel::SendMessageToLink(IPC::Message*) src/ipc/glue/MessageChannel.cpp:1030:10
    #2 0x7f64694e406a in mozilla::ipc::MessageChannel::Send(IPC::Message*) src/ipc/glue/MessageChannel.cpp:1020:3
    #3 0x7f646a53c387 in void mozilla::ipc::MessageChannel::Send<mozilla::widget::IMENotificationRequests>(IPC::Message*, void*, std::function<void (mozilla::widget::IMENotificationRequests&&)>&&, std::function<void (mozilla::ipc::ResponseRejectReason)>&&) src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:225:10
    #4 0x7f646a486af7 in ChannelSend<mozilla::widget::IMENotificationRequests> src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:293:24
    #5 0x7f646a486af7 in mozilla::dom::PBrowserChild::SendNotifyIMEFocus(mozilla::ContentCache const&, mozilla::widget::IMENotification const&, std::function<void (mozilla::widget::IMENotificationRequests&&)>&&, std::function<void (mozilla::ipc::ResponseRejectReason)>&&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:1066:5
    #6 0x7f646a4875a7 in mozilla::dom::PBrowserChild::SendNotifyIMEFocus(mozilla::ContentCache const&, mozilla::widget::IMENotification const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:1075:5
    #7 0x7f64710b18a1 in mozilla::widget::PuppetWidget::NotifyIMEOfFocusChange(mozilla::widget::IMENotification const&) src/widget/PuppetWidget.cpp:782:18
    #8 0x7f64710b6e10 in mozilla::widget::PuppetWidget::NotifyIME(mozilla::widget::TextEventDispatcher*, mozilla::widget::IMENotification const&) src/widget/PuppetWidget.cpp:1379:14
    #9 0x7f64710bd635 in mozilla::widget::TextEventDispatcher::NotifyIME(mozilla::widget::IMENotification const&) src/widget/TextEventDispatcher.cpp:413:20
    #10 0x7f64710692a1 in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) src/widget/nsBaseWidget.cpp:1732:43
    #11 0x7f646ef7572f in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, mozilla::dom::BrowserParent*) src/dom/events/IMEStateManager.cpp:1626:22
    #12 0x7f646ef843d5 in mozilla::IMEContentObserver::IMENotificationSender::SendFocusSet() src/dom/events/IMEContentObserver.cpp:1794:3
    #13 0x7f646ef835dc in mozilla::IMEContentObserver::IMENotificationSender::Run() src/dom/events/IMEContentObserver.cpp:1657:5
    #14 0x7f646ef8231d in mozilla::IMEContentObserver::TryToFlushPendingNotifications(bool) src/dom/events/IMEContentObserver.cpp:1530:17
    #15 0x7f647129ac77 in mozilla::EditorEventListener::Focus(mozilla::InternalFocusEvent*) src/editor/libeditor/EditorEventListener.cpp:1052:3
    #16 0x7f646ef54fa7 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1078:22
    #17 0x7f646ef56a43 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1270:17
    #18 0x7f646ef3de36 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:355:5
    #19 0x7f646ef3de36 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:355:17
    #20 0x7f646ef3c06d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:557:16
    #21 0x7f646ef3cc49 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:637:5
    #22 0x7f646ef4183d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1055:11
    #23 0x7f646c749119 in FocusBlurEvent::Run() src/dom/base/nsFocusManager.cpp:1980:12
    #24 0x7f646c0cb2f3 in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) src/dom/base/nsContentUtils.cpp:5291:13
    #25 0x7f646c6bf7a2 in nsFocusManager::FireFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, nsISupports*, bool, bool, mozilla::dom::EventTarget*) src/dom/base/nsFocusManager.cpp:2128:5
    #26 0x7f646c6bdbbe in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, mozilla::PresShell*, mozilla::dom::Document*, nsISupports*, unsigned int, bool, bool, mozilla::dom::EventTarget*) src/dom/base/nsFocusManager.cpp:2096:3
    #27 0x7f646c6b5224 in nsFocusManager::Focus(nsPIDOMWindowOuter*, mozilla::dom::Element*, unsigned int, bool, bool, bool, bool, nsIContent*) src/dom/base/nsFocusManager.cpp:1910:7
    #28 0x7f646c6aadb2 in nsFocusManager::SetFocusInner(mozilla::dom::Element*, int, bool, bool) src/dom/base/nsFocusManager.cpp:1319:5
    #29 0x7f646c6acaad in nsFocusManager::SetFocus(mozilla::dom::Element*, unsigned int) src/dom/base/nsFocusManager.cpp:463:3
    #30 0x7f646eebba99 in mozilla::EventStateManager::PostHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsEventStatus*, nsIContent*) src/dom/events/EventStateManager.cpp:3296:17
    #31 0x7f647170aea9 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) src/layout/base/PresShell.cpp:7813:30
    #32 0x7f6471700e7a in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) src/layout/base/PresShell.cpp:7721:17
    #33 0x7f64716ffb66 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) src/layout/base/PresShell.cpp:6680:30
    #34 0x7f64716fd8bb in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6485:12
    #35 0x7f64716fc5fd in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6411:23
    #36 0x7f647103afbe in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:751:18
    #37 0x7f647103a9ad in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) src/view/nsView.cpp:1137:9
    #38 0x7f64710ac30d in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) src/widget/PuppetWidget.cpp:381:37
    #39 0x7f646b88f99a in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) src/gfx/layers/apz/util/APZCCallbackHelper.cpp:544:21
    #40 0x7f64707903ea in DispatchWidgetEventViaAPZ src/dom/ipc/BrowserChild.cpp:1804:10
    #41 0x7f64707903ea in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/BrowserChild.cpp:1743:3
    #42 0x7f647078f272 in mozilla::dom::BrowserChild::ProcessPendingCoalescedMouseDataAndDispatchEvents() src/dom/ipc/BrowserChild.cpp:1595:7
    #43 0x7f647079327e in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/BrowserChild.cpp:1713:5
    #44 0x7f646a4b4a16 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:5296:56
    #45 0x7f6469888873 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:8167:32
    #46 0x7f64694f9c16 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2208:25
    #47 0x7f64694f4c31 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2130:9
    #48 0x7f64694f71a1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1972:3
    #49 0x7f64694f8067 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2003:13
    #50 0x7f64682b2241 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
    #51 0x7f64682e220a in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1250:14
    #52 0x7f64682e96b1 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #53 0x7f6469502dcf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #54 0x7f646940d002 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #55 0x7f646940d002 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #56 0x7f646940d002 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
    #57 0x7f64710e3528 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #58 0x7f647514d696 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #59 0x7f646940d002 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #60 0x7f646940d002 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #61 0x7f646940d002 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
    #62 0x7f647514cee4 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #63 0x559493737c5c in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #64 0x559493737c5c in main src/browser/app/nsBrowserApp.cpp:272:18

(In reply to Daniel Veditz [:dveditz] from comment #3)

Kexu: we need more information from you about your system. From the first comment I assume you're running 64bit Windows, but are you running a 64 or 32 bit version of Firefox? (It should be 64, but 32 would be significant if that's what you used).

How much memory does your machine have? We have not reproduced it but we may have beefier development machines than you're using.

When you got the "Gah" page did you submit the crash report to us? If so it will be more useful than just the stack you've pasted here (it would answer all the above questions, for a start). If you've submitted the crash, or if you can do so next time, you can find the link to the report on the page about:crashes. please paste it into this bug.

Daniel:
Firefox version: Mozilla Firefox Browser latest version(70.0.1)(x64)
Platform: Windows 10 Pro(x64) 10.0.18362 Build 18362
Memory Size: 32G

Crash Report ID: bp-a6b55451-63d8-4557-aea1-bd6990191206
Crash Submitted data: 2019-12-06, 8:41 a.m.

Flags: needinfo?(wkexu)

The crash in comment 5 (and maybe comment 4) looks like IME is trying to send a very large message, which is a safe crash. That is different than the stack I see in comment 0, but maybe the stack is just from a different process than the one that initially crashed?

For the latter stack, if we should fix it actually, I think that we should limit max length of editor (either contenteditable, <textarea> or <input>), e.g., banning too large value, disabling IME, etc. Once we could fix bug 1355519, we could do that safer though (I mean user won't meet any inconvenience with normal web apps). But I have no idea how to fix it...

The priority flag is not set for this bug.
:smaug, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(bugs)
Component: Spelling checker → DOM: Editor
Flags: needinfo?(bugs)

Does not appear to be an exploitable vulnerability beyond a DoS.

Group: dom-core-security

Can you add the following sentence when releasing a fixed version of this vulnerability?
“This vulnerability was discovered by Kexu Wang of Fortinet's FortiGuard Labs.”

Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: