Closed Bug 1629403 Opened 6 years ago Closed 6 years ago

Use after Free outside sandbox

Categories

(Core :: Printing: Setup, task)

Product:
Core
Component:
Printing: Setup
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: hiimbogdan, Unassigned, NeedInfo)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

poc.html
274 bytes, text/html
Details
Attached file poc.html

UaF outside the sandbox (Print in onunload)

Steps to reproduce the problem:

  1. Open poc.html in firefox

Firefox version: 75.0
OS: Windows 10 build 1909 (64 bit)

Flags: sec-bounty?

I can't reproduce a crash, never mind a uaf, on either Windows or Mac. Can you provide more details? Does it depend on actually printing (perhaps with a specific printer / driver), or canceling the dialog, or something else? And can you reproduce on nightly? Do you have any submitted crashreports from these crashes that you can link to?

I'd also note that the navigation seems to not complete for me until after I dismiss/accept the print dialog. Do you see the same thing or no?

Group: firefox-core-security → dom-core-security
Component: Security → Printing: Setup
Flags: needinfo?(hiimbogdan)
Product: Firefox → Core

I tried reproducing this on Linux with ASan, no luck. An ASan trace would be nice to have, if there is a use-after-free.

Or even if you don't have an ASAN build, a regular crash link from about:crashes would help with some clues.

Don't know where to go from here without more info.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE

Marking bounty-, if the reporter re-appears we can re-evaluate.

Flags: sec-bounty? → sec-bounty-
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: