Closed Bug 1741515 (CVE-2022-28287) Opened 3 years ago Closed 3 years ago

Maliciously crafted data triggers firefox to crash immediately

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
Desktop
Windows 10
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox97 --- wontfix
firefox98 --- wontfix
firefox99 --- verified

People

(Reporter: sinha.aryan11, Assigned: masayuki)

References

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main99+])

Crash Data

Attachments

(2 files)

bandicam 2021-11-17 03-52-43-478.mp4
5.44 MB, video/mp4
Details
advisory.txt
169 bytes, text/plain
Details

Summary:

I was testing another website during which I came across this vulnerability in Firefox, I confirmed that whether it is happening in any other browser, strangely I found that only Firefox, Developer, and Nightly are crashing. Hence I believe this is a bug at the Mozilla's Firefox end.

Description:

I was testing Atlassian (JIRA) and found that tickets with a really small specific certain data lead firefox to crash immediately, when ctrl+A is pressed over them.

Sharing my Atlassian test a/c creds to quickly validate the issue. Attaching a video POC as well.
Login URL: https://id.atlassian.com/login
Email: aryan_sinha21@bugcrowdninja.com
Password: z4HGd9XEssTy54T

Reproduction Steps:

I have already created a ticket with data causing the firefox to crash, you can access it by:

  1. Once you log in with the creds that I mentioned. Go to- https://aryansinha.atlassian.net/browse/TES-3
  2. Scroll down the page, find the table in which I have listed the data along with multiple other tables. Click over that table with listed data and press ctrl+A. Firefox will immediately crash.

I have tested this in the following FIrefox's browser clients- Firefox, Developer, and Nightly.

Well honestly I would say I am not sure what led the firefox to crash, it was just the observation. Hence I would request the team to investigate the same at your end.

Thanks!

Flags: sec-bounty?

Please tick the checkbox to enable sending us crash reports, send us a crash report, and then link it in a comment here (ideally from Nightly).

Flags: needinfo?(sinha.aryan11)

Hi Gijs,

Please find the crash report here- https://crash-stats.mozilla.org/report/index/4f5822b4-a95b-41aa-a84a-39a140211117

Let me know if I can help with any other information, Thanks..!!

Flags: needinfo?(sinha.aryan11)

The crash stack looks IME related.

Group: firefox-core-security → dom-core-security
Component: Security → DOM: UI Events & Focus Handling
Product: Firefox → Core

Bug 1729003 is a preexisting bug on this crash signature.

Looking at crash stats, there are around 1300 crash with this signature and NotifyIME in the proto signature, for what that is worth.

Blocks: 1729003
Crash Signature: [@ RaiseFailFastException ]

Thanks for the information Andrew. Are we in a process to fix this bug? As this could be a security problem as there are multiple ways to trigger this on victims' browser, one of such is javascript code snippets to trick victim process ctrl+A.

Flags: needinfo?(continuation)

Yes, hopefully somebody can look at it. Generally speaking, crashing the browser is usually not a severe security issue, because users can restart the browser and just not visit the web page again, but we do try to avoid crashes.

Flags: needinfo?(continuation)

This doesn't look like a security issue to me either, but it's a __fastfail() crash which we wouldn't have caught just a few months ago. It's bad enough that Windows thinks the process is compromised beyond redemption.

We are deep in Microsoft code at the point where the crash occurs, but given that most of the functions on the stack look like wrappers it might be that we're feeding Windows IME some malformed data. My Windows knowledge in this area is limited; Msayuki, Makoto can you please help us debug this issue? I'm sure you're more familiar with this code than I am.

Flags: needinfo?(masayuki)
Flags: needinfo?(m_kato)

My understand is that FastFailExcetion means that exception handler cannot catch an exception. General reason is that stack is corrupt, then Windows cannot look for exception handler.

So I guess that this is Microsoft's TSF bug on Windows 10 20H2+?

Flags: needinfo?(m_kato)

6 textinputframework.dll long CQueryTextAsync::Then(class std::function<long (long, struct MsgString*)) cfi
7 textinputframework.dll long TextInputClient::NotifyTextChangedInternal(class ClientOwnerRegistration*, int, int, int, int, int, struct EditOperationInfo&, unsigned char, unsigned char) cfi

It seems that TSF queried text, selection, text extent etc in TextInputClient::NotifyTextChangedInternal. So it could be the direct cause of the crash what we return. However, TSF shouldn't crash even if apps return odd result. Before asking MS, we shold get a log of TSFTextStore and investigate what happens.

I might be able to extract some information from the minidump by opening in VS if that could be useful. What would we be looking for? The parameters we passed into the textinputframework.dll calls?

Here is a log after selection change notification:

I/ContentCacheWidgets 0x1aa68d95b10 AssignContent(aNotification=NOTIFY_IME_OF_SELECTION_CHANGE), Succeeded, mText.Length()=1816, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=452, y=3524, w=1, h=24), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mFirstCharRect=(x=451, y=-95, w=1, h=24), mCaret={ mOffset=0, mRect=(x=451, y=-95, w=1, h=24) }, mTextRectArray=<Nothing>, mWidgetHasComposition=false, mPendingCompositionCount=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=452, y=-95, w=1173, h=3646), mLastCommitStringTextRectArray=<Nothing>
D/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::OnSelectionChangeInternal(aIMENotification={ mSelectionChangeData={ mOffset=0, mString.Length()=1816, GetWritingMode()=h-ltr, mReversed=false, mCausedByComposition=false, mCausedBySelectionEvent=false, mOccurredDuringComposition=false } }), mDestroyed=false, mSink=0x1aa4f720ff8, mSinkMask=TS_AS_TEXT_CHANGE | TS_AS_SEL_CHANGE | TS_AS_LAYOUT_CHANGE | TS_AS_ATTR_CHANGE | TS_AS_STATUS_CHANGE, mIsRecordingActionsWithoutLock=false, mComposition=<Nothing>
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::MaybeFlushPendingNotifications(), calling TSFTextStore::NotifyTSFOfSelectionChange()...
D/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::NotifyTSFOfSelectionChange(), selection isn't actually changed.
I/ContentCacheWidgets 0x1aa68d95b10 AssignContent(aNotification=NOTIFY_IME_OF_POSITION_CHANGE), Succeeded, mText.Length()=1816, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=452, y=3524, w=1, h=24), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mFirstCharRect=(x=451, y=-95, w=1, h=24), mCaret={ mOffset=0, mRect=(x=451, y=-95, w=1, h=24) }, mTextRectArray=<Nothing>, mWidgetHasComposition=false, mPendingCompositionCount=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=452, y=-95, w=1173, h=3646), mLastCommitStringTextRectArray=<Nothing>
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::OnLayoutChangeInternal(), calling NotifyTSFOfLayoutChange()...
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::NotifyTSFOfLayoutChange(), calling ITextStoreACPSink::OnLayoutChange()...
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::RequestLock(dwLockFlags=TS_LF_READ, phrSession=0x8f691fcb20), mLock=not-specified, mDestroyed=false
I/nsTextStoreWidgets 0x1aa5c00d310   Locking (TS_LF_READ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetTextExt(vcView=1, acpStart=0, acpEnd=1816, prc=0x8f691fc2a0, pfClipped=0x8f691fc268), IsHandlingCompositionInParent()=false, IsHandlingCompositionInContent()=false, mContentForTSF=<Nothing>, mSelectionForTSF={ mACP={ acpStart=0, acpEnd=1816, style={ ase=TS_AE_END, fInterimChar=FALSE } }, mWritingMode=h-ltr,  Collapsed()=false, Length=1816 }, mComposition=<Nothing>, mDeferNotifyingTSF=false, mWaitingQueryLayout=false, IMEHandler::IsA11yHandlingNativeCaret()=true
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(aEvent={ mMessage=eQueryTextRect, mInput={ mOffset=0, mLength=1816 } }, aWidget=0x1aa544d1e00), mText.Length()=1816
I/ContentCacheWidgets 0x1aa68d95b10 GetUnionTextRects(aOffset=0, aLength=1816, aRoundToExistingOffset=false), mTextRectArray=<Nothing>, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=452, y=3524, w=1, h=24), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mLastCommitStringTextRectArray=<Nothing>
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(), Succeeded, aEvent={ mMessage=eQueryTextRect mReply={ mOffsetAndData={ mOffset=0, mData="CARRIAGE RETURN (0x000D) LINE FEED (0x000A) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) SPACE (0x0020) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) SPACE (0x0020) ... LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) NO-BREAK SPACE (0x00A0) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A)", Length()=1816, EndOffset()=1816 }, mHasSelection=false, mWritingMode=h-ltr, mContentsRoot=0x0000000000000000, mFocusedWidget=0x000001AA544D1E00, mRect=(x=452, y=-91, w=895, h=3578) } }
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::GetTextExt() succeeded: *prc={ left=915, top=88, right=1810, bottom=1940 }, *pfClipped=true
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310   Unlocked (TS_LF_READ) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::RequestLock() succeeded: *phrSession=S_OK
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::NotifyTSFOfLayoutChange(), called ITextStoreACPSink::OnLayoutChange()
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::NotifyTSFOfLayoutChange(), succeeded notifying TIP of our layout change
D/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::OnLayoutChangeInternal(), calling MaybeFlushPendingNotifications()...
I/ContentCacheWidgets 0x1aa68d95b10 AssignContent(aNotification=NOTIFY_IME_OF_POSITION_CHANGE), Succeeded, mText.Length()=1816, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=452, y=3524, w=1, h=24), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mFirstCharRect=(x=451, y=-95, w=1, h=24), mCaret={ mOffset=0, mRect=(x=451, y=-95, w=1, h=24) }, mTextRectArray=<Nothing>, mWidgetHasComposition=false, mPendingCompositionCount=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=452, y=-95, w=1173, h=3646), mLastCommitStringTextRectArray=<Nothing>
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::OnLayoutChangeInternal(), calling NotifyTSFOfLayoutChange()...
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::NotifyTSFOfLayoutChange(), calling ITextStoreACPSink::OnLayoutChange()...
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::RequestLock(dwLockFlags=TS_LF_READ, phrSession=0x8f691fcb20), mLock=not-specified, mDestroyed=false
I/nsTextStoreWidgets 0x1aa5c00d310   Locking (TS_LF_READ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetTextExt(vcView=1, acpStart=0, acpEnd=1816, prc=0x8f691fc2a0, pfClipped=0x8f691fc268), IsHandlingCompositionInParent()=false, IsHandlingCompositionInContent()=false, mContentForTSF=<Nothing>, mSelectionForTSF={ mACP={ acpStart=0, acpEnd=1816, style={ ase=TS_AE_END, fInterimChar=FALSE } }, mWritingMode=h-ltr,  Collapsed()=false, Length=1816 }, mComposition=<Nothing>, mDeferNotifyingTSF=false, mWaitingQueryLayout=false, IMEHandler::IsA11yHandlingNativeCaret()=true
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(aEvent={ mMessage=eQueryTextRect, mInput={ mOffset=0, mLength=1816 } }, aWidget=0x1aa544d1e00), mText.Length()=1816
I/ContentCacheWidgets 0x1aa68d95b10 GetUnionTextRects(aOffset=0, aLength=1816, aRoundToExistingOffset=false), mTextRectArray=<Nothing>, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=452, y=3524, w=1, h=24), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mLastCommitStringTextRectArray=<Nothing>
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(), Succeeded, aEvent={ mMessage=eQueryTextRect mReply={ mOffsetAndData={ mOffset=0, mData="CARRIAGE RETURN (0x000D) LINE FEED (0x000A) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) SPACE (0x0020) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) NO-BREAK SPACE (0x00A0) SPACE (0x0020) ... LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) NO-BREAK SPACE (0x00A0) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A) CARRIAGE RETURN (0x000D) LINE FEED (0x000A)", Length()=1816, EndOffset()=1816 }, mHasSelection=false, mWritingMode=h-ltr, mContentsRoot=0x0000000000000000, mFocusedWidget=0x000001AA544D1E00, mRect=(x=452, y=-91, w=895, h=3578) } }
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::GetTextExt() succeeded: *prc={ left=915, top=88, right=1810, bottom=1940 }, *pfClipped=true
<snip>
I/nsTextStoreWidgets 0x1aa5c00d310   Unlocked (TS_LF_READ) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::RequestLock() succeeded: *phrSession=S_OK
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::NotifyTSFOfLayoutChange(), called ITextStoreACPSink::OnLayoutChange()
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::NotifyTSFOfLayoutChange(), succeeded notifying TIP of our layout change
D/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::OnLayoutChangeInternal(), calling MaybeFlushPendingNotifications()...
I/ContentCacheWidgets 0x1aa68d95b10 AssignContent(aNotification=NOTIFY_IME_OF_TEXT_CHANGE), Succeeded, mText.Length()=1806, mSelection={ mAnchor=0, mFocus=1816, mWritingMode=h-ltr, mAnchorCharRects[eNextCharRect]=(x=451, y=-95, w=1, h=24), mFocusCharRects[ePrevCharRect]=(x=0, y=0, w=0, h=0), mFocusCharRects[eNextCharRect]=(x=452, y=3524, w=1, h=24), mRect=(x=452, y=-91, w=895, h=3578), Reversed()=false, StartOffset()=0, EndOffset()=1816, Collapsed()=false, Length()=1816 }, mFirstCharRect=(x=451, y=-95, w=1, h=24), mCaret={ mOffset=0, mRect=(x=451, y=-95, w=1, h=24) }, mTextRectArray=<Nothing>, mWidgetHasComposition=false, mPendingCompositionCount=0, mCompositionStart=<Nothing>, mPendingCommitLength=0, mEditorRect=(x=452, y=-95, w=1173, h=3646), mLastCommitStringTextRectArray=<Nothing>
D/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::OnTextChangeInternal(aIMENotification={ mMessage=0x00000004, mTextChangeData={ mStartOffset=1061, mRemoveEndOffset=1071, mAddedEndOffset=1061, mCausedOnlyByComposition=false, mIncludingChangesDuringComposition=false, mIncludingChangesWithoutComposition=true } }), mDestroyed=false, mSink=0x1aa4f720ff8, mSinkMask=TS_AS_TEXT_CHANGE | TS_AS_SEL_CHANGE | TS_AS_LAYOUT_CHANGE | TS_AS_ATTR_CHANGE | TS_AS_STATUS_CHANGE, mComposition=<Nothing>
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::MaybeFlushPendingNotifications(), calling TSFTextStore::NotifyTSFOfTextChange()...
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::NotifyTSFOfTextChange(), calling ITextStoreACPSink::OnTextChange(0, { acpStart=1061, acpOldEnd=1071, acpNewEnd=1061 })...
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::RequestLock(dwLockFlags=TS_LF_READ, phrSession=0x8f691fc9f4), mLock=not-specified, mDestroyed=false
I/nsTextStoreWidgets 0x1aa5c00d310   Locking (TS_LF_READ) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetSelection(ulIndex=4294967295, ulCount=1, pSelection=0x8f691fc560, pcFetched=0x8f691fc6b0)
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(aEvent={ mMessage=eQuerySelectedText }, aWidget=0x1aa544d1e00)
E/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(), FAILED because mSelection is not valid
I/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::GetSelection() returns fake selection range for avoiding a crash in TSF, *pSelection={ acpStart=0, acpEnd=0, style={ ase=TS_AE_START, fInterimChar=FALSE } }
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetText(acpStart=437, acpEnd=-1, pchPlain=0x7ffd1c4ca7e0, cchPlainReq=128, pcchPlainOut=0x8f691fbb10, prgRunInfo=0x7ffd1c4ca8f0, ulRunInfoReq=33, pulRunInfoOut=0x7ffd1c4ca8e4, pacpNext=0x7ffd1c4ca8e0), mComposition=<Nothing>
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(aEvent={ mMessage=eQuerySelectedText }, aWidget=0x1aa544d1e00)
E/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(), FAILED because mSelection is not valid
E/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::ContentForTSF(), FAILED, due to SelectionForTSF() failure
E/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::GetText() FAILED due to ContentForTSF() failure
I/nsTextStoreWidgets 0x1aa5c00d310 TSFTextStore::GetText(acpStart=469, acpEnd=495, pchPlain=0x1aa4f712290, cchPlainReq=26, pcchPlainOut=0x8f691fbe28, prgRunInfo=0x8f691fbbf0, ulRunInfoReq=16, pulRunInfoOut=0x8f691fbbc0, pacpNext=0x8f691fbbc4), mComposition=<Nothing>
I/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(aEvent={ mMessage=eQuerySelectedText }, aWidget=0x1aa544d1e00)
E/ContentCacheWidgets 0x1aa68d95b10 HandleQueryContentEvent(), FAILED because mSelection is not valid
E/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::ContentForTSF(), FAILED, due to SelectionForTSF() failure
E/nsTextStoreWidgets 0x1aa5c00d310   TSFTextStore::GetText() FAILED due to ContentForTSF() failure
Flags: needinfo?(masayuki)

First, the flattened plaintext of the editor has 1816 characters.

And first TSF requests selection text (union) rect and editor rect in screen. The latter is omitted from the log, but the complicated thing, computing union rect is succeeded and returns { left=915, top=88, right=1810, bottom=1940 }. Then, we send layout change information twice. Although I don't know for what (caused by scrolling?). Then, we notified text change between 1061 ~ 1071 is removed.

Then, TSF retrieves selection range. At this time, we failed because mSelection is not valid. For avoiding to make TSF confused, we return collapsed selection at start of the document ({ acpStart=0, acpEnd=0, style={ ase=TS_AE_START, fInterimChar=FALSE } }). Then, TSF tries to retrieve text at 437 ~ end and 469 - 495. Both we fail to return correct value and we return E_FAIL.

It seems that TSF or Microsoft's IME common code does not handle the error correctly. I don't reproduce this bug with ATOK which is a third party's Japanese IME. I tested this on Win11.

Asking Microsoft's developer about the stack with telling that we return E_FAIL from GetText()...

(I'll keep investigating why mSelection becomes invalid with the flow.)

Crash Signature: [@ RaiseFailFastException ] → [@ RaiseFailFastException ] [@ RaiseFailFastException | FailFastWithHR ]

Filed our side failure as normal bug (bug 1746104).

Crash Signature: [@ RaiseFailFastException ] [@ RaiseFailFastException | FailFastWithHR ] → [@ RaiseFailFastException ]
Crash Signature: [@ RaiseFailFastException ] → [@ RaiseFailFastException ] [@ RaiseFailFastException | FailFastWithHR ]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, csectype-dos, sec-low
Type: task → defect

(Set to S2 due to the crash, feel free to modify if you don't agree)

Severity: -- → S2

Unfortunately, fixing only bug 1746104 is not enough because I confirmed that there is another bug which makes ContentCacheInParent has different length text for selection and text. I'm still not sure what causes it, but I think that it should be relaxed for avoiding crash for now.

Okay, I got the another bug which caused TSFTextStore fails to get selection. I filed bug 1752956 for fixing it.

Now, the patches have landed. So this must be fixed in Nightly channel.

Assignee: nobody → masayuki
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox97: --- → wontfix
status-firefox98: --- → wontfix
status-firefox99: --- → fixed
status-firefox-esr91: --- → wontfix
status-thunderbird_esr91: --- → wontfix
OS: Unspecified → Windows 10
Hardware: Unspecified → Desktop
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
status-thunderbird_esr91: wontfix → ---
Depends on: 1752956
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]

Unfortunately this does not appear to be exploitable beyond a Denial of Service attack and is therefore not eligible for our Bug Bounty program

Flags: sec-bounty? → sec-bounty-

Hi Aryan! Could you please help us verifying if the issue is fixed on your end, with latest Nightly 99?

I'm unable to reproduce the crash on Win 10 (Nightly 96.0a1, 2021-11-06), although I tested with the same Jira ticket posted in comment 0.

Flags: needinfo?(sinha.aryan11)
See Also: → 1758277

Hey Ciprian,

I'm so sorry for the delayed response here. I was extensively busy and away from my personal mechine. I retested and tried reproducing the behaviour at my end and can confirm that the issue is no longer being reproduced.

Thanks and regards!

Flags: needinfo?(sinha.aryan11)

No worries, thanks for taking the time to test this! Marking the bug as verified fixed per comment 22.

Status: RESOLVED → VERIFIED
status-firefox99: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main99+]
Attached file advisory.txt
Alias: CVE-2022-28287
Flags: sec-bounty-hof+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: