Closed Bug 1620818 (CVE-2020-6819) Opened 4 months ago Closed 3 months ago

AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:3302:12 in SynchronizeLayoutHistoryState

Categories

(Core :: DOM: Navigation, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla76
Tracking Status
firefox-esr68 74+ fixed
firefox74 + fixed
firefox75 + fixed
firefox76 + fixed

People

(Reporter: rs, Assigned: smaug)

References

Details

(Keywords: csectype-uaf, sec-critical, testcase-wanted)

Attachments

(2 files, 1 obsolete file)

Attached file browser-ff.txt

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36

Steps to reproduce:

I have been randomly obtaining this Use-After-Free at a specific website that I was investigating. I don't have a reproducer so far. Not sure if it's due to recent Firefox code changes or has really been triggered intentionally since it was with a custom Firefox build and m-c-20200226162551-fuzzing-asan-opt.

Actual results:

=================================================================
==27386==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0001009c0 at pc 0x7f098a30d54a bp 0x7ffe5a8f3a60 sp 0x7ffe5a8f3a58
READ of size 8 at 0x60e0001009c0 thread T0 (Web Content)
    #0 0x7f098a30d549 in SynchronizeLayoutHistoryState /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:3302:12
    #1 0x7f098a30d549 in non-virtual thunk to nsDocShell::SynchronizeLayoutHistoryState() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #2 0x7f09877e53f2 in nsDocumentViewer::Close(nsISHEntry*) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1656:44
    #3 0x7f09877e487d in nsDocumentViewer::~nsDocumentViewer() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:627:5
    #4 0x7f09877e6ccd in nsDocumentViewer::~nsDocumentViewer() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:625:39
    #5 0x7f09877e4486 in nsDocumentViewer::Release() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:613:1
    #6 0x7f098a2e7cc7 in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:330:7
    #7 0x7f098a2e7cc7 in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:450:1
    #8 0x7f098a2e937d in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:411:27
    #9 0x7f097edb2c88 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2460:9
    #10 0x7f097ed91876 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:942:23
    #11 0x7f097ed92135 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2625:14
    #12 0x7f09813d97dc in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:147:9
    #13 0x7f097ef6cea8 in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:326:22
    #14 0x7f097ef48bd8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #15 0x7f097ef53a3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:481:10
    #16 0x7f09801a9fcf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #17 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #18 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #19 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #20 0x7f0987230cb8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #21 0x7f098ad63ca6 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:944:20
    #22 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #23 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #24 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #25 0x7f098ad63269 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:779:34
    #26 0x55fdb83a2433 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #27 0x55fdb83a2433 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
    #28 0x7f099ad2c1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #29 0x55fdb82f7ddc in _start (/home/fuzzer/dev/m-c-20200226162551-fuzzing-asan-opt/firefox+0x9bddc)

0x60e0001009c0 is located 0 bytes inside of 160-byte region [0x60e0001009c0,0x60e000100a60)
freed by thread T0 (Web Content) here:
    #0 0x55fdb836faad in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7f098a3be096 in nsSHEntry::Release() /builds/worker/workspace/build/src/docshell/shistory/nsSHEntry.cpp:81:1
    #2 0x7f098a2e79a4 in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:330:7
    #3 0x7f098a2e79a4 in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:450:1
    #4 0x7f098a2e937d in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:411:27
    #5 0x7f097edb2c88 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2460:9
    #6 0x7f097ed91876 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:942:23
    #7 0x7f097ed92135 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2625:14
    #8 0x7f09813d97dc in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:147:9
    #9 0x7f097ef6cea8 in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:326:22
    #10 0x7f097ef48bd8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #11 0x7f097ef53a3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:481:10
    #12 0x7f09801a9fcf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #13 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #14 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #15 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #16 0x7f0987230cb8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #17 0x7f098ad63ca6 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:944:20
    #18 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #19 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #20 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #21 0x7f098ad63269 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:779:34
    #22 0x55fdb83a2433 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #23 0x55fdb83a2433 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
    #24 0x7f099ad2c1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 (Web Content) here:
    #0 0x55fdb836fd2d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x55fdb83a582d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f098a3ae651 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f098a3ae651 in mozilla::dom::CreateSHEntryForDocShell(nsISHistory*) /builds/worker/workspace/build/src/docshell/shistory/ChildSHistory.cpp:126:32
    #4 0x7f098a3525d4 in nsDocShell::AddToSessionHistory(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*, bool, nsISHEntry**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:11073:13
    #5 0x7f098a33efc3 in nsDocShell::OnNewURI(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIPrincipal*, unsigned int, nsIContentSecurityPolicy*, bool, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10540:13
    #6 0x7f098a33fbac in nsDocShell::OnLoadingSite(nsIChannel*, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10602:10
    #7 0x7f098a2d9a8a in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7705:33
    #8 0x7f098a2d7c9c in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:168:20
    #9 0x7f098195227a in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:632:18
    #10 0x7f098194f84a in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:313:9
    #11 0x7f098194e211 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:191:8
    #12 0x7f097faa807c in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:707:20
    #13 0x7f097fab671c in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:557:3
    #14 0x7f097fb6d806 in operator() /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:411:15
    #15 0x7f097fb6d806 in std::_Function_handler<void (), mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&)::$_5>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
    #16 0x7f097f8e83ba in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:260:10
    #17 0x7f097fab47ff in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:401:12
    #18 0x7f098086677c in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:862:28
    #19 0x7f098057a777 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:8563:32
    #20 0x7f098019e122 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2214:25
    #21 0x7f098019932a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2136:9

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:3302:12 in SynchronizeLayoutHistoryState
Shadow bytes around the buggy address:
  0x0c1c800180e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c800180f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1c80018100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c80018110: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c80018120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
=>0x0c1c80018130: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c1c80018140: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1c80018150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c80018160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c80018170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c80018180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27386==ABORTING
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Navigation
Product: Firefox → Core

Is there a reason why this bug has no one or no priority assigned to it? (I don't know if Mozilla is completely shutdown/frozen right now)

Flags: needinfo?(dveditz)
Assignee: nobody → bugs

Aha, this is interesting, but seems to be obvious based on code inspection.
nsCOMPtr doesn't set mRawPtr to nullptr in its dtor, so if somehow something manages to access that that memory after dtor has run,
unexpected things may happen.

Flags: needinfo?(dveditz)
Priority: -- → P1

What are the concerns to apply this patch? There is not much detail in phabricator to understand it better.

Flags: needinfo?(bugs)

(In reply to Francisco A. from comment #4)

This website belongs to a (known to us) threat actor network that makes specific campaigns towards certain profiles, so I wouldn't take this as a random crash due to origin and privesc (second stage) we found after that.

Wait, are you saying this is an exploit observed in the wild, rather than a crash?
Was the privesc also targeting Firefox?

Flags: needinfo?(rs)
Flags: needinfo?(rs)

That's what I expected to hear. Thank you, Francisco.
FYI: We'll be able to keep information selectively confidential and remove from the bug if you want to expose more but are afraid from making stuff public. You can also always send email to security@mozilla.org - especially if you see immediate danger for our users.

Keywords: sec-highsec-critical

Just to be clear, we want to notify users. Same as previous advisories "We are aware of targeted attacks in the wild abusing this flaw." with our acknowledgement. What we don't want right now is give full details or blogpost about it (who/how/when) until we finish our research to don't miss other things. I will use defenitely the email when I've more details. Thank you!

(In reply to Frederik Braun [:freddy] from comment #8)

That's what I expected to hear. Thank you, Francisco.
FYI: We'll be able to keep information selectively confidential and remove from the bug if you want to expose more but are afraid from making stuff public. You can also always send email to security@mozilla.org - especially if you see immediate danger for our users.

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Comment on attachment 9137752 [details]
Bug 1620818, release nsDocShell::mContentViewer properly, r=nika,peterv

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: crashes
  • Fix Landed on Version: Not yet
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Destroying a ContentViewer object just a tiny bit sooner
  • String or UUID changes made by this patch: NA

Beta/Release Uplift Approval Request

  • User impact if declined: crashes
  • Is this code covered by automated tests?: Unknown
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: (there is no testcase, the patch is fully based on code auditing)
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Destroying a ContentViewer object just a tiny bit sooner
  • String changes made/needed: NA

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: We don't know how to construct any exploit from this. (I guess we don't even know atm if there is any exploit. We know there are crashes)
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: The patch seems to apply with some --fuzz to esr68
  • How likely is this patch to cause regressions; how much testing does it need?: This code should run in usual cases, and even without the patch similar code would run just after existing nsDocShell destructor.
Flags: needinfo?(bugs)
Attachment #9137752 - Flags: sec-approval?
Attachment #9137752 - Flags: approval-mozilla-esr68?
Attachment #9137752 - Flags: approval-mozilla-beta?
Attachment #9134770 - Attachment is obsolete: true

Francisco, assuming this is something you can still reproduce on demand (is that correct?), would you be able to test out a build with the attached patch included to confirm that it resolves the issue?

Flags: needinfo?(rs)

The limited tests I have done were with a custom 74/75.0 build with the patch (in case there is antoher version checks. I can't abuse testing it) and the supplied build 76.0a1 . I will do some more testing, but no crash so far.
Please proceed landing the fix without me being a block of this task. If I see anything new I will let you know as soon as possible. (again thank you all).

(In reply to Ryan VanderMeulen [:RyanVM] from comment #12)

Francisco, assuming this is something you can still reproduce on demand (is that correct?), would you be able to test out a build with the attached patch included to confirm that it resolves the issue?

Flags: needinfo?(rs)

Comment on attachment 9137752 [details]
Bug 1620818, release nsDocShell::mContentViewer properly, r=nika,peterv

a=dveditz for sec-approval and all the branch landings (the latter ok'd by ryan via slack)

Attachment #9137752 - Flags: sec-approval?
Attachment #9137752 - Flags: sec-approval+
Attachment #9137752 - Flags: approval-mozilla-release+
Attachment #9137752 - Flags: approval-mozilla-esr68?
Attachment #9137752 - Flags: approval-mozilla-esr68+
Attachment #9137752 - Flags: approval-mozilla-beta?
Attachment #9137752 - Flags: approval-mozilla-beta+
Flags: sec-bounty?

Francisco, are you able to say if JS is required to be enabled for an exploit to work?

(In reply to Kai Engert (:KaiE:) from comment #16)

Francisco, are you able to say if JS is required to be enabled for an exploit to work?

The reason I'm asking: I don't see JS code in the stack, just DOM/HTML processing code. If JS isn't required, then TB is at high risk, too (which disables JS for received email). Not knowing if JS is required, we currently consider to chemspill TB, too.

JS as far as I know is necessary. Personally I would worry more about Firefox, but being a patch that seems simple and does not seem to break functionality. Maybe it's reasonable to fix TB in case we are missing anything.

(In reply to Kai Engert (:KaiE:) from comment #17)

(In reply to Kai Engert (:KaiE:) from comment #16)

Francisco, are you able to say if JS is required to be enabled for an exploit to work?

The reason I'm asking: I don't see JS code in the stack, just DOM/HTML processing code. If JS isn't required, then TB is at high risk, too (which disables JS for received email). Not knowing if JS is required, we currently consider to chemspill TB, too.

(In reply to Francisco A. from comment #18)

Maybe it's reasonable to fix TB in case we are missing anything.

Thanks Francisco. Yes, we want to fix Thunderbird. Question is, is it justified to chemspill Thunderbird, or could it wait until next week's regular 68.7 update.

It sounds like you cannot completely eliminate the possibility that the exploit might work without having JS on.

Alias: CVE-2020-6819

I have a question about this patch:

In ~nsDocShell, Destroy() is already called before the added code and in nsDocShell::Destroy() the same cleanup code is already present (L4521).
So wouldn't this cleanup already be done there?

As I mentioned by email could bugzilla Admins, remove or redact comment #4 and #7 ? Thanks!

Francisco, I have removed the contents of comment 4 and comment 7. Can you please check if you can see the original content, if you click the "edited" link in those comments? (I can still see it, but it might be limited to people in the security group.)

It seems to only show "(Hidden by Administrator)". Thanks!

(In reply to Kai Engert (:KaiE:) from comment #22)

Francisco, I have removed the contents of comment 4 and comment 7. Can you please check if you can see the original content, if you click the "edited" link in those comments? (I can still see it, but it might be limited to people in the security group.)

Duplicate of this bug: 1631622
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.