Closed Bug 1788528 Opened 2 years ago Closed 2 years ago

ZDI-CAN-18594: Mozilla Firefox JIT Boolean Conversion Crash due to missing check for uninitialized lexicals

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox106 --- fixed

People

(Reporter: tjr, Assigned: jandem)

References

(Blocks 2 open bugs)

Details

(Keywords: testcase, Whiteboard: [external-reporter])

Attachments

(3 files)

poc.html
174 bytes, text/html
Details
Bug 1788528 part 1 - Remove LoadEnvironment*SlotResult ops. r?iain!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1788528 part 2 - Add lexical check to CacheIR stub for BindName. r?iain!
48 bytes, text/x-phabricator-request
Details | Review

ZDI-CAN-18594: Mozilla Firefox JIT Boolean Conversion Uninitialized Variable Remote Code Execution Vulnerability

-- CVSS -----------------------------------------

5.4: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
Mozilla - Firefox

-- VULNERABILITY DETAILS ------------------------

Analysis

Use-of-uninitialized variable during handling of boolean conversion. This leads to passing of a non-object to the js::ToBooleanSlow function:

Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Mozilla Firefox\firefox.exe" http://127.0.0.1/poc_min.html

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff7`5ec90000 00007ff7`5ed38000 firefox.exe
ModLoad: 00007ff8`ef370000 00007ff8`ef568000 ntdll.dll
ModLoad: 00007ff8`ed970000 00007ff8`eda2d000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ff8`ecbf0000 00007ff8`ecebe000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ff8`ecf10000 00007ff8`ed010000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ff8`d9e20000 00007ff8`d9ece000 C:\Program Files\Mozilla Firefox\mozglue.dll
ModLoad: 00007ff8`e58b0000 00007ff8`e594b000 C:\Program Files\Mozilla Firefox\MSVCP140.dll
ModLoad: 00007ff8`e6820000 00007ff8`e6835000 C:\Program Files\Mozilla Firefox\VCRUNTIME140.dll
ModLoad: 00007ff8`eca90000 00007ff8`ecbe6000 C:\WINDOWS\System32\CRYPT32.dll
ModLoad: 00007ff8`ec390000 00007ff8`ec39c000 C:\WINDOWS\SYSTEM32\cryptbase.dll
ModLoad: 00007ff8`ee680000 00007ff8`ee72e000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ff8`edb20000 00007ff8`edbbe000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ff8`ede90000 00007ff8`edf2c000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ff8`eea30000 00007ff8`eeb55000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ff8`ed310000 00007ff8`ed392000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ff8`ee880000 00007ff8`eea20000 C:\WINDOWS\System32\USER32.dll

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff7`5ec90000 00007ff7`5ed38000 firefox.exe
ModLoad: 00007ff8`ef370000 00007ff8`ef568000 ntdll.dll
ModLoad: 00007ff8`ed3a0000 00007ff8`ed3c2000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ff8`ed940000 00007ff8`ed96a000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ff8`ed130000 00007ff8`ed23b000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ff8`ed970000 00007ff8`eda2d000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ff8`ed270000 00007ff8`ed30d000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ff8`ecbf0000 00007ff8`ecebe000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ff8`ed8b0000 00007ff8`ed8e0000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ff8`ecf10000 00007ff8`ed010000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ff8`d9e20000 00007ff8`d9ece000 C:\Program Files\Mozilla Firefox\mozglue.dll
ModLoad: 00007ff8`eca90000 00007ff8`ecbe6000 C:\WINDOWS\System32\CRYPT32.dll
ModLoad: 00007ff8`dab00000 00007ff8`dab8d000 C:\WINDOWS\SYSTEM32\MSVCP140.dll
ModLoad: 00007ff8`e2cf0000 00007ff8`e2d0a000 C:\WINDOWS\SYSTEM32\VCRUNTIME140.dll
ModLoad: 00007ff8`daaf0000 00007ff8`daafc000 C:\WINDOWS\SYSTEM32\VCRUNTIME140_1.dll
ModLoad: 00007ff8`ec390000 00007ff8`ec39c000 C:\WINDOWS\SYSTEM32\cryptbase.dll
ModLoad: 00007ff8`ee680000 00007ff8`ee72e000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ff8`edb20000 00007ff8`edbbe000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ff8`ede90000 00007ff8`edf2c000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ff8`eea30000 00007ff8`eeb55000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ff8`ed310000 00007ff8`ed392000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ff8`ee880000 00007ff8`eea20000 C:\WINDOWS\System32\user32.dll
ModLoad: 00007ff8`ed3a0000 00007ff8`ed3c2000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ff8`ed940000 00007ff8`ed96a000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ff8`ed130000 00007ff8`ed23b000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ff8`ed270000 00007ff8`ed30d000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ff8`ed8b0000 00007ff8`ed8e0000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ff8`eefd0000 00007ff8`ef324000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ff8`ea990000 00007ff8`ea9a2000 C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 00007ff8`ea4b0000 00007ff8`ea54e000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 00007ff8`eb7d0000 00007ff8`eb803000 C:\WINDOWS\SYSTEM32\ntmarta.dll
ModLoad: 00007ff8`ed4c0000 00007ff8`ed58d000 C:\WINDOWS\System32\OLEAUT32.dll
ModLoad: 00007ff8`edf30000 00007ff8`ee674000 C:\WINDOWS\System32\shell32.DLL
ModLoad: 00007ff8`eab90000 00007ff8`eb324000 C:\WINDOWS\SYSTEM32\windows.storage.dll
ModLoad: 00007ff8`ec420000 00007ff8`ec450000 C:\WINDOWS\SYSTEM32\Wldp.dll
ModLoad: 00007ff8`ed800000 00007ff8`ed8ad000 C:\WINDOWS\System32\SHCORE.dll
ModLoad: 00007ff8`ed590000 00007ff8`ed5e5000 C:\WINDOWS\System32\shlwapi.dll
ModLoad: 00007ff8`ee730000 00007ff8`ee85a000 C:\WINDOWS\System32\ole32.DLL
ModLoad: 00007ff8`ed680000 00007ff8`ed795000 C:\WINDOWS\System32\MSCTF.dll
ModLoad: 00007ff8`de800000 00007ff8`de8f9000 C:\WINDOWS\SYSTEM32\textinputframework.dll
ModLoad: 00007ff8`e9c00000 00007ff8`e9f5e000 C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
ModLoad: 00007ff8`e9f60000 00007ff8`ea052000 C:\WINDOWS\SYSTEM32\CoreMessaging.dll
ModLoad: 00007ff8`edab0000 00007ff8`edb1b000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ff8`e8b80000 00007ff8`e8cd4000 C:\WINDOWS\SYSTEM32\wintypes.dll
ModLoad: 0000025e`22ae0000 0000025e`22b8e000 mozglue.dll
ModLoad: 00007ff8`b8710000 00007ff8`b8933000 nss3.dll
ModLoad: 00007ff8`b8710000 00007ff8`b8933000 C:\Program Files\Mozilla Firefox\nss3.dll
ModLoad: 00007ff8`dbf40000 00007ff8`dbf49000 C:\WINDOWS\SYSTEM32\WSOCK32.dll
ModLoad: 00007ff8`e85c0000 00007ff8`e85cd000 lgpllibs.dll
ModLoad: 00007ff8`e85c0000 00007ff8`e85cd000 C:\Program Files\Mozilla Firefox\lgpllibs.dll
ModLoad: 00007ff8`8efd0000 00007ff8`96272000 xul.dll
ModLoad: 00007ff8`8efd0000 00007ff8`96272000 C:\Program Files\Mozilla Firefox\xul.dll
ModLoad: 00007ff8`ed240000 00007ff8`ed267000 C:\WINDOWS\System32\bcrypt.dll
ModLoad: 00007ff8`ed0c0000 00007ff8`ed128000 C:\WINDOWS\System32\WINTRUST.dll
ModLoad: 00007ff8`e8ce0000 00007ff8`e8dd6000 C:\WINDOWS\SYSTEM32\PROPSYS.dll
ModLoad: 00007ff8`e2ce0000 00007ff8`e2cea000 C:\WINDOWS\SYSTEM32\VERSION.dll
ModLoad: 00007ff8`ec5b0000 00007ff8`ec5c2000 C:\WINDOWS\SYSTEM32\MSASN1.dll
ModLoad: 00007ff8`de740000 00007ff8`de749000 C:\WINDOWS\SYSTEM32\KBDUS.DLL
ModLoad: 00007ff8`ed3d0000 00007ff8`ed3d8000 C:\WINDOWS\System32\psapi.dll
ModLoad: 00007ff8`e1f10000 00007ff8`e20f4000 C:\WINDOWS\SYSTEM32\dbghelp.dll
ModLoad: 00007ff8`e1ee0000 00007ff8`e1f0c000 C:\WINDOWS\SYSTEM32\dbgcore.DLL
ModLoad: 00007ff8`ec9d0000 00007ff8`ec9ef000 C:\WINDOWS\SYSTEM32\profapi.dll
ModLoad: 00007ff8`d7580000 00007ff8`d77ff000 C:\WINDOWS\system32\dwrite.dll
ModLoad: 00007ff8`df260000 00007ff8`df287000 C:\WINDOWS\SYSTEM32\WINMM.dll
ModLoad: 00007ff8`dc1c0000 00007ff8`dc241000 C:\WINDOWS\system32\webauthn.dll
ModLoad: 00007ff8`e68d0000 00007ff8`e68e7000 C:\WINDOWS\system32\napinsp.dll
ModLoad: 00007ff8`e68f0000 00007ff8`e690b000 C:\WINDOWS\system32\pnrpnsp.dll
ModLoad: 00007ff8`db220000 00007ff8`db235000 C:\WINDOWS\system32\wshbth.dll
ModLoad: 00007ff8`e8470000 00007ff8`e848d000 C:\WINDOWS\system32\NLAapi.dll
ModLoad: 00007ff8`ebe70000 00007ff8`ebeab000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ff8`ec180000 00007ff8`ec1ea000 C:\WINDOWS\System32\mswsock.dll
ModLoad: 00007ff8`ebeb0000 00007ff8`ebf7a000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ff8`eea20000 00007ff8`eea28000 C:\WINDOWS\System32\NSI.dll
ModLoad: 00007ff8`e6b30000 00007ff8`e6b42000 C:\WINDOWS\System32\winrnr.dll
ModLoad: 00007ff8`edbd0000 00007ff8`edc79000 C:\WINDOWS\System32\clbcatq.dll
ModLoad: 00007ff8`d72f0000 00007ff8`d7399000 C:\WINDOWS\system32\twinapi.dll
ModLoad: 00007ff8`d5070000 00007ff8`d50ae000 DataExchange.dll
ModLoad: 00007ff8`ea7b0000 00007ff8`ea7df000 C:\WINDOWS\SYSTEM32\dwmapi.dll
ModLoad: 00007ff8`eeb60000 00007ff8`eefcf000 C:\WINDOWS\System32\SETUPAPI.dll
ModLoad: 00007ff8`ecec0000 00007ff8`ecf0e000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ff8`ec770000 00007ff8`ec79c000 C:\WINDOWS\SYSTEM32\DEVOBJ.dll
ModLoad: 00007ff8`e7d70000 00007ff8`e7f70000 twinapi.appcore.dll
ModLoad: 00007ff8`eb390000 00007ff8`eb483000 C:\WINDOWS\system32\dxgi.dll
ModLoad: 00007ff8`ea580000 00007ff8`ea594000 C:\WINDOWS\SYSTEM32\resourcepolicyclient.dll
ModLoad: 0000025e`2d390000 0000025e`2d439000 TWINAPI.dll
ModLoad: 00007ff8`d4e50000 00007ff8`d5070000 EXPLORERFRAME.dll
ModLoad: 0000025e`2d390000 0000025e`2d4e4000 WinTypes.dll
ModLoad: 00007ff8`e7a90000 00007ff8`e7ace000 C:\WINDOWS\System32\netprofm.dll
ModLoad: 00007ff8`e9610000 00007ff8`e97f4000 C:\WINDOWS\SYSTEM32\dcomp.dll

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff7`5ec90000 00007ff7`5ed38000 firefox.exe
ModLoad: 00007ff8`e29d0000 00007ff8`e29e0000 C:\WINDOWS\System32\npmproxy.dll
ModLoad: 00007ff8`ef370000 00007ff8`ef568000 ntdll.dll
ModLoad: 00007ff8`ed970000 00007ff8`eda2d000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ff8`ecbf0000 00007ff8`ecebe000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ff8`e7870000 00007ff8`e791e000 C:\WINDOWS\SYSTEM32\mscms.dll
ModLoad: 00007ff8`ecf10000 00007ff8`ed010000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ff8`ec950000 00007ff8`ec97e000 C:\WINDOWS\SYSTEM32\USERENV.dll
ModLoad: 00007ff8`d9e20000 00007ff8`d9ece000 C:\Program Files\Mozilla Firefox\mozglue.dll
ModLoad: 00007ff8`e7960000 00007ff8`e7971000 C:\WINDOWS\SYSTEM32\ColorAdapterClient.dll
ModLoad: 00007ff8`eca90000 00007ff8`ecbe6000 C:\WINDOWS\System32\CRYPT32.dll
ModLoad: 00007ff8`dab00000 00007ff8`dab8d000 C:\WINDOWS\SYSTEM32\MSVCP140.dll
ModLoad: 00007ff8`e4a70000 00007ff8`e4a7b000 C:\WINDOWS\SYSTEM32\WINNSI.DLL
ModLoad: 00007ff8`e2cf0000 00007ff8`e2d0a000 C:\WINDOWS\SYSTEM32\VCRUNTIME140.dll
ModLoad: 00007ff8`daaf0000 00007ff8`daafc000 C:\WINDOWS\SYSTEM32\VCRUNTIME140_1.dll
ModLoad: 00007ff8`ec390000 00007ff8`ec39c000 C:\WINDOWS\SYSTEM32\cryptbase.dll
ModLoad: 00007ff8`e3e10000 00007ff8`e3e27000 C:\WINDOWS\SYSTEM32\dhcpcsvc6.DLL
ModLoad: 00007ff8`e42f0000 00007ff8`e430d000 C:\WINDOWS\SYSTEM32\dhcpcsvc.DLL
ModLoad: 00007ff8`ee680000 00007ff8`ee72e000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ff8`e9860000 00007ff8`e9874000 C:\WINDOWS\SYSTEM32\WTSAPI32.dll
ModLoad: 00007ff8`ea990000 00007ff8`ea9a2000 C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 00007ff8`edb20000 00007ff8`edbbe000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ff8`ec880000 00007ff8`ec8da000 C:\WINDOWS\SYSTEM32\WINSTA.dll
ModLoad: 00007ff8`ede90000 00007ff8`edf2c000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ff8`d7140000 00007ff8`d72e6000 C:\Windows\System32\Windows.Globalization.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
Processing initial command 'g'
ntdll!NtTerminateProcess+0x14:
00007ff8`ef40d4c4 c3 ret
0:000> g
ModLoad: 00007ff8`eea30000 00007ff8`eeb55000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ff8`ed310000 00007ff8`ed392000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ff8`de750000 00007ff8`de7ab000 C:\WINDOWS\SYSTEM32\Bcp47Langs.dll
ModLoad: 00007ff8`ee880000 00007ff8`eea20000 C:\WINDOWS\System32\user32.dll
ModLoad: 00007ff8`d9770000 00007ff8`d979d000 C:\WINDOWS\SYSTEM32\bcp47mrm.dll
ModLoad: 00007ff8`ed3a0000 00007ff8`ed3c2000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ff8`ed940000 00007ff8`ed96a000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ff8`ed130000 00007ff8`ed23b000 C:\WINDOWS\System32\gdi32full.dll
clientcore\windows\dwm\dwmapi\attribute.cpp(178)\dwmapi.dll!00007FF8EA7B3657: (caller: 00007FF88FF4438E) ReturnHr(1) tid(154) 80070057 The parameter is incorrect.
ModLoad: 00007ff8`ed270000 00007ff8`ed30d000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ff8`d68d0000 00007ff8`d696e000 C:\WINDOWS\system32\directmanipulation.dll
ModLoad: 00007ff8`ed8b0000 00007ff8`ed8e0000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ff8`b8710000 00007ff8`b8933000 C:\Program Files\Mozilla Firefox\nss3.dll
ModLoad: 00007ff8`d99c0000 00007ff8`d9b01000 C:\Windows\System32\Windows.UI.dll
ModLoad: 00007ff8`dbf40000 00007ff8`dbf49000 C:\WINDOWS\SYSTEM32\WSOCK32.dll
ModLoad: 00007ff8`edab0000 00007ff8`edb1b000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ff8`e7f70000 00007ff8`e8011000 C:\WINDOWS\SYSTEM32\WindowManagementAPI.dll
ModLoad: 00007ff8`de5e0000 00007ff8`de732000 C:\WINDOWS\SYSTEM32\InputHost.dll
ModLoad: 00007ff8`e85c0000 00007ff8`e85cd000 C:\Program Files\Mozilla Firefox\lgpllibs.dll
ModLoad: 00007ff8`e7d70000 00007ff8`e7f70000 C:\WINDOWS\SYSTEM32\twinapi.appcore.dll
ModLoad: 00007ff8`8efd0000 00007ff8`96272000 C:\Program Files\Mozilla Firefox\xul.dll
ModLoad: 00007ff8`ed240000 00007ff8`ed267000 C:\WINDOWS\System32\bcrypt.dll
ModLoad: 00007ff8`ed0c0000 00007ff8`ed128000 C:\WINDOWS\System32\WINTRUST.dll
ModLoad: 00007ff8`d7e30000 00007ff8`d7f6a000 C:\Windows\System32\Windows.UI.Immersive.dll
ModLoad: 00007ff8`e8ce0000 00007ff8`e8dd6000 C:\WINDOWS\SYSTEM32\PROPSYS.dll
ModLoad: 00007ff8`eefd0000 00007ff8`ef324000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ff8`e2ce0000 00007ff8`e2cea000 C:\WINDOWS\SYSTEM32\VERSION.dll
ModLoad: 00007ff8`ec5b0000 00007ff8`ec5c2000 C:\WINDOWS\SYSTEM32\MSASN1.dll
ModLoad: 00007ff8`ed800000 00007ff8`ed8ad000 C:\WINDOWS\System32\shcore.dll

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff7`5ec90000 00007ff7`5ed38000 firefox.exe
ModLoad: 00007ff8`ef370000 00007ff8`ef568000 ntdll.dll
ModLoad: 00007ff8`d4e50000 00007ff8`d5070000 C:\WINDOWS\system32\explorerframe.dll
ModLoad: 00007ff8`ed970000 00007ff8`eda2d000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ff8`ecbf0000 00007ff8`ecebe000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ff8`ea990000 00007ff8`ea9a2000 C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 00007ff8`ecf10000 00007ff8`ed010000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ff8`ea4b0000 00007ff8`ea54e000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 00007ff8`d9e20000 00007ff8`d9ece000 C:\Program Files\Mozilla Firefox\mozglue.dll
ModLoad: 00007ff8`eb7d0000 00007ff8`eb803000 C:\WINDOWS\SYSTEM32\ntmarta.dll
ModLoad: 00007ff8`eca90000 00007ff8`ecbe6000 C:\WINDOWS\System32\CRYPT32.dll
ModLoad: 00007ff8`dab00000 00007ff8`dab8d000 C:\WINDOWS\SYSTEM32\MSVCP140.dll
ModLoad: 00007ff8`e2cf0000 00007ff8`e2d0a000 C:\WINDOWS\SYSTEM32\VCRUNTIME140.dll
1661794739383 addons.xpi WARN Checking C:\Program Files\Mozilla Firefox\distribution\extensions for addons
ModLoad: 00007ff8`ed4c0000 00007ff8`ed58d000 C:\WINDOWS\System32\OLEAUT32.dll
ModLoad: 00007ff8`daaf0000 00007ff8`daafc000 C:\WINDOWS\SYSTEM32\VCRUNTIME140_1.dll
ModLoad: 00007ff8`ec390000 00007ff8`ec39c000 C:\WINDOWS\SYSTEM32\cryptbase.dll
ModLoad: 00007ff8`df260000 00007ff8`df287000 C:\WINDOWS\SYSTEM32\WINMM.dll
ModLoad: 00007ff8`ee680000 00007ff8`ee72e000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ff8`ed680000 00007ff8`ed795000 C:\WINDOWS\System32\MSCTF.dll
ModLoad: 00007ff8`edb20000 00007ff8`edbbe000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ff8`ede90000 00007ff8`edf2c000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ff8`eea30000 00007ff8`eeb55000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ff8`ed310000 00007ff8`ed392000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ff8`d9150000 00007ff8`d919d000 C:\Windows\System32\wscapi.dll
ModLoad: 00007ff8`b8710000 00007ff8`b8933000 C:\Program Files\Mozilla Firefox\nss3.dll
ModLoad: 00007ff8`e3200000 00007ff8`e33ec000 C:\WINDOWS\SYSTEM32\urlmon.dll
ModLoad: 00007ff8`edab0000 00007ff8`edb1b000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ff8`e2f10000 00007ff8`e31c1000 C:\WINDOWS\SYSTEM32\iertutil.dll
ModLoad: 00007ff8`dbf40000 00007ff8`dbf49000 C:\WINDOWS\SYSTEM32\WSOCK32.dll
ModLoad: 00007ff8`e31d0000 00007ff8`e31f8000 C:\WINDOWS\SYSTEM32\srvcli.dll
ModLoad: 00007ff8`ebf80000 00007ff8`ebf8c000 C:\WINDOWS\SYSTEM32\netutils.dll
ModLoad: 00007ff8`e85c0000 00007ff8`e85cd000 C:\Program Files\Mozilla Firefox\lgpllibs.dll
ModLoad: 00007ff8`8efd0000 00007ff8`96272000 C:\Program Files\Mozilla Firefox\xul.dll
ModLoad: 00007ff8`ed240000 00007ff8`ed267000 C:\WINDOWS\System32\bcrypt.dll
ModLoad: 00007ff8`ed0c0000 00007ff8`ed128000 C:\WINDOWS\System32\WINTRUST.dll
ModLoad: 00007ff8`e8ce0000 00007ff8`e8dd6000 C:\WINDOWS\SYSTEM32\PROPSYS.dll
ModLoad: 00007ff8`eefd0000 00007ff8`ef324000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ff8`e2ce0000 00007ff8`e2cea000 C:\WINDOWS\SYSTEM32\VERSION.dll
ModLoad: 00007ff8`ec5b0000 00007ff8`ec5c2000 C:\WINDOWS\SYSTEM32\MSASN1.dll
ModLoad: 00007ff8`e3af0000 00007ff8`e3b75000 C:\WINDOWS\System32\MMDevApi.dll
ModLoad: 00007ff8`ed800000 00007ff8`ed8ad000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ff8`e3c00000 00007ff8`e3d82000 C:\WINDOWS\SYSTEM32\AUDIOSES.DLL
ModLoad: 00007ff8`e5900000 00007ff8`e5945000 C:\Program Files\Mozilla Firefox\softokn3.dll
ModLoad: 00007ff8`ec900000 00007ff8`ec94b000 C:\WINDOWS\SYSTEM32\powrprof.dll
ModLoad: 00007ff8`b8640000 00007ff8`b8701000 C:\Program Files\Mozilla Firefox\freebl3.dll
ModLoad: 00007ff8`ec8e0000 00007ff8`ec8f2000 C:\WINDOWS\SYSTEM32\UMPDC.dll
ModLoad: 00007ff8`e5900000 00007ff8`e5945000 C:\Program Files\Mozilla Firefox\softokn3.dll
ModLoad: 00007ff8`e6800000 00007ff8`e6839000 C:\Program Files\Mozilla Firefox\ipcclientcerts.dll
ModLoad: 00007ff8`df260000 00007ff8`df287000 C:\WINDOWS\SYSTEM32\winmm.dll
ModLoad: 00007ff8`b8640000 00007ff8`b8701000 C:\Program Files\Mozilla Firefox\freebl3.dll
ModLoad: 00007ff8`e0eb0000 00007ff8`e0f1e000 C:\Program Files\Mozilla Firefox\nssckbi.dll
ModLoad: 00007ff8`e1270000 00007ff8`e12ce000 C:\Program Files\Mozilla Firefox\osclientcerts.dll
ModLoad: 00007ff8`ec490000 00007ff8`ec4b7000 C:\WINDOWS\SYSTEM32\ncrypt.dll
ModLoad: 00007ff8`ea990000 00007ff8`ea9a2000 C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 00007ff8`ec450000 00007ff8`ec48b000 C:\WINDOWS\SYSTEM32\NTASN1.dll
ModLoad: 00007ff8`e0900000 00007ff8`e0dd6000 C:\WINDOWS\SYSTEM32\WININET.dll
ModLoad: 00007ff8`ec980000 00007ff8`ec9b2000 C:\WINDOWS\SYSTEM32\SspiCli.dll
ModLoad: 00007ff8`e1490000 00007ff8`e149a000 C:\Windows\System32\rasadhlp.dll
ModLoad: 00007ff8`cfc30000 00007ff8`cfc47000 C:\WINDOWS\SYSTEM32\ondemandconnroutehelper.dll
ModLoad: 00007ff8`e1be0000 00007ff8`e1cea000 C:\WINDOWS\SYSTEM32\winhttp.dll
ModLoad: 00007ff8`eeb60000 00007ff8`eefcf000 C:\WINDOWS\System32\SETUPAPI.dll
ModLoad: 00007ff8`e68d0000 00007ff8`e68e7000 C:\WINDOWS\system32\napinsp.dll
ModLoad: 00007ff8`ecec0000 00007ff8`ecf0e000 C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ff8`ec770000 00007ff8`ec79c000 C:\WINDOWS\SYSTEM32\DEVOBJ.dll
ModLoad: 00007ff8`ee730000 00007ff8`ee85a000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ff8`e68f0000 00007ff8`e690b000 C:\WINDOWS\system32\pnrpnsp.dll
ModLoad: 00007ff8`d7580000 00007ff8`d77ff000 C:\WINDOWS\system32\dwrite.dll
ModLoad: 00007ff8`db220000 00007ff8`db235000 C:\WINDOWS\system32\wshbth.dll
ModLoad: 00007ff8`e8470000 00007ff8`e848d000 C:\WINDOWS\system32\NLAapi.dll
ModLoad: 00007ff8`ebe70000 00007ff8`ebeab000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ff8`ec180000 00007ff8`ec1ea000 C:\WINDOWS\System32\mswsock.dll
ModLoad: 00007ff8`ebeb0000 00007ff8`ebf7a000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 00007ff8`eea20000 00007ff8`eea28000 C:\WINDOWS\System32\NSI.dll
ModLoad: 00007ff8`e6b30000 00007ff8`e6b42000 C:\WINDOWS\System32\winrnr.dll
ModLoad: 00007ff8`edbd0000 00007ff8`edc79000 C:\WINDOWS\System32\clbcatq.dll
ModLoad: 00007ff8`e9050000 00007ff8`e9610000 C:\WINDOWS\SYSTEM32\d2d1.dll
ModLoad: 00007ff8`e8600000 00007ff8`e8636000 C:\WINDOWS\SYSTEM32\XmlLite.dll
ModLoad: 00007ff8`bafe0000 00007ff8`bb25c000 C:\Windows\System32\msmpeg2vdec.dll
ModLoad: 00007ff8`baeb0000 00007ff8`bafdd000 C:\WINDOWS\SYSTEM32\mfperfhelper.dll
ModLoad: 00007ff8`ec370000 00007ff8`ec388000 C:\WINDOWS\SYSTEM32\cryptsp.dll
ModLoad: 00007ff8`e6390000 00007ff8`e654c000 C:\WINDOWS\SYSTEM32\MFPlat.DLL
ModLoad: 00007ff8`ed800000 00007ff8`ed8ad000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ff8`e60d0000 00007ff8`e6104000 C:\WINDOWS\SYSTEM32\RTWorkQ.DLL
ModLoad: 00007ff8`e58e0000 00007ff8`e58fc000 C:\Windows\System32\mp3dmod.dll
ModLoad: 00007ff8`e8490000 00007ff8`e849b000 C:\WINDOWS\SYSTEM32\msdmo.dll
ModLoad: 00007ff8`da670000 00007ff8`da6df000 C:\Windows\System32\MSAudDecMFT.dll
ModLoad: 00007ff8`e6aa0000 00007ff8`e6b24000 C:\WINDOWS\system32\mf.dll
ModLoad: 00007ff8`bae80000 00007ff8`baea4000 C:\WINDOWS\system32\dxva2.dll
ModLoad: 00007ff8`b8580000 00007ff8`b863f000 C:\WINDOWS\system32\evr.dll
ModLoad: 00007ff8`ec900000 00007ff8`ec94b000 C:\WINDOWS\SYSTEM32\powrprof.dll
ModLoad: 00007ff8`ec8e0000 00007ff8`ec8f2000 C:\WINDOWS\SYSTEM32\UMPDC.dll

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff7`5ec90000 00007ff7`5ed38000 firefox.exe
ModLoad: 00007ff8`ef370000 00007ff8`ef568000 ntdll.dll
ModLoad: 00007ff8`ed970000 00007ff8`eda2d000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ff8`ecbf0000 00007ff8`ecebe000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ff8`ecf10000 00007ff8`ed010000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ff8`d9e20000 00007ff8`d9ece000 C:\Program Files\Mozilla Firefox\mozglue.dll
ModLoad: 00007ff8`e6e90000 00007ff8`e7659000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
ModLoad: 00007ff8`eca90000 00007ff8`ecbe6000 C:\WINDOWS\System32\CRYPT32.dll
ModLoad: 00007ff8`dab00000 00007ff8`dab8d000 C:\WINDOWS\SYSTEM32\MSVCP140.dll
ModLoad: 00007ff8`e2cf0000 00007ff8`e2d0a000 C:\WINDOWS\SYSTEM32\VCRUNTIME140.dll
ModLoad: 00007ff8`daaf0000 00007ff8`daafc000 C:\WINDOWS\SYSTEM32\VCRUNTIME140_1.dll
ModLoad: 00007ff8`ec390000 00007ff8`ec39c000 C:\WINDOWS\SYSTEM32\cryptbase.dll
ModLoad: 00007ff8`d5070000 00007ff8`d50ae000 C:\WINDOWS\system32\dataexchange.dll
ModLoad: 00007ff8`e8de0000 00007ff8`e9043000 C:\WINDOWS\SYSTEM32\d3d11.dll
ModLoad: 00007ff8`b8710000 00007ff8`b8933000 C:\Program Files\Mozilla Firefox\nss3.dll
ModLoad: 00007ff8`ee680000 00007ff8`ee72e000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ff8`edb20000 00007ff8`edbbe000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ff8`ede90000 00007ff8`edf2c000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ff8`eea30000 00007ff8`eeb55000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ff8`edab0000 00007ff8`edb1b000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ff8`dbf40000 00007ff8`dbf49000 C:\WINDOWS\SYSTEM32\WSOCK32.dll
ModLoad: 00007ff8`e85c0000 00007ff8`e85cd000 C:\Program Files\Mozilla Firefox\lgpllibs.dll
clientcore\windows\dwm\dwmapi\attribute.cpp(178)\dwmapi.dll!00007FF8EA7B3657: (caller: 00007FF88FF4438E) ReturnHr(2) tid(154) 80070057 The parameter is incorrect.
ModLoad: 00007ff8`8efd0000 00007ff8`96272000 C:\Program Files\Mozilla Firefox\xul.dll
ModLoad: 00007ff8`ed240000 00007ff8`ed267000 C:\WINDOWS\System32\bcrypt.dll
ModLoad: 00007ff8`ed0c0000 00007ff8`ed128000 C:\WINDOWS\System32\WINTRUST.dll
ModLoad: 00007ff8`e8ce0000 00007ff8`e8dd6000 C:\WINDOWS\SYSTEM32\PROPSYS.dll
ModLoad: 00007ff8`eefd0000 00007ff8`ef324000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ff8`e2ce0000 00007ff8`e2cea000 C:\WINDOWS\SYSTEM32\VERSION.dll
ModLoad: 00007ff8`ec5b0000 00007ff8`ec5c2000 C:\WINDOWS\SYSTEM32\MSASN1.dll
ModLoad: 00007ff8`ed800000 00007ff8`ed8ad000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ff8`ed310000 00007ff8`ed392000 C:\WINDOWS\System32\bcryptprimitives.dll
ModLoad: 00007ff8`ea990000 00007ff8`ea9a2000 C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 00007ff8`eb7d0000 00007ff8`eb803000 C:\WINDOWS\SYSTEM32\ntmarta.dll
onecore\com\combase\dcomrem\security.cxx(2886)\combase.dll!00007FF8EF0AB307: (caller: 00007FF8EF0AB1A6) ReturnHr(1) tid(1b58) 80070005 Access is denied.

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*\\vmware-host\Shared Folders\shared\symbols-mozilla-104.0*https://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff7`5ec90000 00007ff7`5ed38000 firefox.exe
onecore\com\combase\dcomrem\security.cxx(2921)\combase.dll!00007FF8EF0AB251: (caller: 00007FF8EF0ABF0E) ReturnHr(2) tid(1b58) 80070005 Access is denied.
ModLoad: 00007ff8`ed4c0000 00007ff8`ed58d000 C:\WINDOWS\System32\OLEAUT32.dll
ModLoad: 00007ff8`ef370000 00007ff8`ef568000 ntdll.dll
ModLoad: 00007ff8`ed970000 00007ff8`eda2d000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ff8`ecbf0000 00007ff8`ecebe000 C:\WINDOWS\System32\KERNELBASE.dll
[JavaScript Warning: "This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use \xe2\x80\x9c<!DOCTYPE html>\xe2\x80\x9d." {file: "resource://gre-resources/hiddenWindow.html" line: 0}]
ModLoad: 00007ff8`ecf10000 00007ff8`ed010000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ff8`d9e20000 00007ff8`d9ece000 C:\Program Files\Mozilla Firefox\mozglue.dll
ModLoad: 00007ff8`ed270000 00007ff8`ed30d000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ff8`eca90000 00007ff8`ecbe6000 C:\WINDOWS\System32\CRYPT32.dll
[JavaScript Error: "NetworkError: Network request failed" {file: "resource://services-settings/Utils.jsm" line: 239}]
fetch/</request.onerror@resource://services-settings/Utils.jsm:239:26

ModLoad: 00007ff8`dab00000 00007ff8`dab8d000 C:\WINDOWS\SYSTEM32\MSVCP140.dll
[JavaScript Error: "NetworkError: Network request failed" {file: "resource://services-settings/Utils.jsm" line: 239}]
fetch/</request.onerror@resource://services-settings/Utils.jsm:239:26

ModLoad: 00007ff8`df260000 00007ff8`df287000 C:\WINDOWS\SYSTEM32\WINMM.dll
ModLoad: 00007ff8`e2cf0000 00007ff8`e2d0a000 C:\WINDOWS\SYSTEM32\VCRUNTIME140.dll
ModLoad: 00007ff8`dc1c0000 00007ff8`dc241000 C:\WINDOWS\system32\webauthn.dll
ModLoad: 00007ff8`daaf0000 00007ff8`daafc000 C:\WINDOWS\SYSTEM32\VCRUNTIME140_1.dll
ModLoad: 00007ff8`e8300000 00007ff8`e830a000 C:\WINDOWS\SYSTEM32\AVRT.dll
ModLoad: 00007ff8`d7580000 00007ff8`d77ff000 C:\WINDOWS\system32\dwrite.dll
ModLoad: 00007ff8`ec390000 00007ff8`ec39c000 C:\WINDOWS\SYSTEM32\cryptbase.dll
ModLoad: 00007ff8`b8710000 00007ff8`b8933000 C:\Program Files\Mozilla Firefox\nss3.dll
ModLoad: 00007ff8`ee680000 00007ff8`ee72e000 C:\WINDOWS\System32\ADVAPI32.dll
[JavaScript Error: "NetworkError: Network request failed" {file: "resource://services-settings/Utils.jsm" line: 239}]
fetch/</request.onerror@resource://services-settings/Utils.jsm:239:26

ModLoad: 00007ff8`edb20000 00007ff8`edbbe000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ff8`ede90000 00007ff8`edf2c000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ff8`eea30000 00007ff8`eeb55000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ff8`edab0000 00007ff8`edb1b000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ff8`da8c0000 00007ff8`da8cd000 C:\WINDOWS\SYSTEM32\LINKINFO.dll
ModLoad: 00007ff8`dbf40000 00007ff8`dbf49000 C:\WINDOWS\SYSTEM32\WSOCK32.dll
ModLoad: 00007ff8`e85c0000 00007ff8`e85cd000 C:\Program Files\Mozilla Firefox\lgpllibs.dll
ModLoad: 00007ff8`e8380000 00007ff8`e842c000 C:\Windows\System32\taskschd.dll
ModLoad: 00007ff8`8efd0000 00007ff8`96272000 C:\Program Files\Mozilla Firefox\xul.dll
ModLoad: 00007ff8`ed240000 00007ff8`ed267000 C:\WINDOWS\System32\bcrypt.dll
ModLoad: 00007ff8`ed0c0000 00007ff8`ed128000 C:\WINDOWS\System32\WINTRUST.dll
ModLoad: 00007ff8`e8ce0000 00007ff8`e8dd6000 C:\WINDOWS\SYSTEM32\PROPSYS.dll
[JavaScript Error: "NetworkError: Network request failed" {file: "resource://services-settings/Utils.jsm" line: 239}]
fetch/</request.onerror@resource://services-settings/Utils.jsm:239:26

ModLoad: 00007ff8`eefd0000 00007ff8`ef324000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ff8`e58c0000 00007ff8`e58d2000 C:\Windows\System32\Windows.Security.Integrity.dll
ModLoad: 00007ff8`e5900000 00007ff8`e5945000 C:\Program Files\Mozilla Firefox\softokn3.dll
ModLoad: 00007ff8`e2ce0000 00007ff8`e2cea000 C:\WINDOWS\SYSTEM32\VERSION.dll
ModLoad: 00007ff8`ec370000 00007ff8`ec388000 C:\WINDOWS\SYSTEM32\CRYPTSP.dll
ModLoad: 00007ff8`ebb00000 00007ff8`ebb34000 C:\WINDOWS\system32\rsaenh.dll
ModLoad: 00007ff8`ec5b0000 00007ff8`ec5c2000 C:\WINDOWS\SYSTEM32\MSASN1.dll
ModLoad: 00007ff8`b8640000 00007ff8`b8701000 C:\Program Files\Mozilla Firefox\freebl3.dll
[JavaScript Error: "NetworkError: Network request failed" {file: "resource://services-settings/Utils.jsm" line: 239}]
fetch/</request.onerror@resource://services-settings/Utils.jsm:239:26

ModLoad: 00007ff8`ed800000 00007ff8`ed8ad000 C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ff8`ed310000 00007ff8`ed392000 C:\WINDOWS\System32\bcryptprimitives.dll
[JavaScript Warning: "This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use \xe2\x80\x9c<!DOCTYPE html>\xe2\x80\x9d." {file: "http://127.0.0.1/poc_min.html" line: 0}]
[JavaScript Error: "NetworkError: Network request failed" {file: "resource://services-settings/Utils.jsm" line: 239}]
fetch/</request.onerror@resource://services-settings/Utils.jsm:239:26

[JavaScript Warning: "This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use \xe2\x80\x9c<!DOCTYPE html>\xe2\x80\x9d." {file: "http://127.0.0.1/poc_min.html" line: 0}]
(17b4.1b58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
xul!JS::GetClass [inlined in xul!js::ToBooleanSlow+0x3f]:
00007ff8`9081ee5f 488b08 mov rcx,qword ptr [rax] ds:00048000`0000000a=????????????????
3:078> u .
xul!JS::GetClass [/builds/worker/checkouts/gecko/js/src/builtin/Boolean.cpp @ 173] [inlined in xul!js::ToBooleanSlow+0x3f [/builds/worker/checkouts/gecko/js/src/builtin/Boolean.cpp @ 173]]:
00007ff8`9081ee5f 488b08 mov rcx,qword ptr [rax]
00007ff8`9081ee62 488b09 mov rcx,qword ptr [rcx]
00007ff8`9081ee65 488b09 mov rcx,qword ptr [rcx]
00007ff8`9081ee68 f6410a08 test byte ptr [rcx+0Ah],8
00007ff8`9081ee6c 7524 jne xul!js::ToBooleanSlow+0x72 (00007ff8`9081ee92)
00007ff8`9081ee6e 488b00 mov rax,qword ptr [rax]
00007ff8`9081ee71 488b00 mov rax,qword ptr [rax]
00007ff8`9081ee74 488b00 mov rax,qword ptr [rax]
3:078> k
# Child-SP RetAddr Call Site
00 (Inline Function) --------`-------- xul!JS::GetClass [/builds/worker/workspace/obj-build/dist/include/js/Object.h @ 47]
01 (Inline Function) --------`-------- xul!js::IsProxy [/builds/worker/workspace/obj-build/dist/include/js/Proxy.h @ 377]
02 (Inline Function) --------`-------- xul!js::IsWrapper [/builds/worker/workspace/obj-build/dist/include/js/Wrapper.h @ 393]
03 (Inline Function) --------`-------- xul!JSObject::is [/builds/worker/checkouts/gecko/js/src/vm/NativeObject.h @ 1730]
04 (Inline Function) --------`-------- xul!js::EmulatesUndefined [/builds/worker/checkouts/gecko/js/src/builtin/Boolean-inl.h @ 22]
05 000000f2`cfdfc8a0 00007ff8`90e30517 xul!js::ToBooleanSlow+0x3f [/builds/worker/checkouts/gecko/js/src/builtin/Boolean.cpp @ 173]
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
06 (Inline Function) --------`-------- xul!JS::ToBoolean+0xb8 [/builds/worker/workspace/obj-build/dist/include/js/Conversions.h @ 128]
07 000000f2`cfdfc8d0 0000024e`cc907fb7 xul!js::jit::DoToBoolFallback+0x347 [/builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp @ 607]
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
08 000000f2`cfdfcb00 00000231`b941d100 0x0000024e`cc907fb7
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
09 000000f2`cfdfcb08 0000190d`57823c70 0x00000231`b941d100
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
Unable to read dynamic function table entry at 00000231`b4230920
0a 000000f2`cfdfcb10 00000000`00000000 0x0000190d`57823c70
Unable to read dynamic function table entry at 00000231`b4230920
3:078> lmvm xul
Browse full module list
start end module name
00007ff8`8efd0000 00007ff8`96272000 xul (private pdb symbols) \\vmware-host\shared folders\shared\symbols-mozilla-104.0\xul.pdb\608D7586F4E1D2484C4C44205044422E1\xul.pdb
Loaded symbol image file: C:\Program Files\Mozilla Firefox\xul.dll
Image path: C:\Program Files\Mozilla Firefox\xul.dll
Image name: xul.dll
Browse all global symbols functions data
Timestamp: Thu Aug 18 16:47:37 2022 (62FEA569)
CheckSum: 071D22AB
ImageSize: 072A2000
File version: 104.0.0.8265
Product version: 104.0.0.8265
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0
Information from resource tables:
CompanyName: Mozilla Foundation
ProductName: Firefox
InternalName:
OriginalFilename: xul.dll
ProductVersion: 104.0
FileVersion: 104.0
FileDescription:
LegalCopyright: License: MPL 2
LegalTrademarks: Mozilla
Comments:
3:078> vertarget
Windows 10 Version 19044 MP (2 procs) Free x64
Product: WinNt, suite: SingleUserTS
19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Debug session time: Mon Aug 29 13:39:25.324 2022 (UTC - 4:00)
System Uptime: 0 days 12:42:16.034
Process Uptime: 0 days 0:00:24.951
Kernel time: 0 days 0:00:00.125
User time: 0 days 0:00:00.046

ASAN output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==4986==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f0380782aa6 bp 0x7ffc9c5e50e0 sp 0x7ffc9c5e50e0 T0)
==4986==The signal is caused by a READ memory access.
==4986==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used.
#0 0x7f0380782aa6 in GetClass /builds/worker/workspace/obj-build/dist/include/js/Object.h:47:56
#1 0x7f0380782aa6 in IsProxy /builds/worker/workspace/obj-build/dist/include/js/Proxy.h:377:10
#2 0x7f0380782aa6 in js::IsWrapper(JSObject const*) /builds/worker/workspace/obj-build/dist/include/js/Wrapper.h:393:10
#3 0x7f038d6ee605 in is<js::WrapperObject> /builds/worker/checkouts/gecko/js/src/vm/WrapperObject.h:32:10
#4 0x7f038d6ee605 in js::EmulatesUndefined(JSObject*) /builds/worker/checkouts/gecko/js/src/builtin/Boolean-inl.h:21:22
#5 0x7f038d6ee5d2 in js::ToBooleanSlow(JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/builtin/Boolean.cpp:171:11
#6 0x7f038e47a253 in ToBoolean /builds/worker/workspace/obj-build/dist/include/js/Conversions.h:128:10
#7 0x7f038e47a253 in js::jit::DoToBoolFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:607:15
#8 0x18c898614ef4 (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/js/Object.h:47:56 in GetClass
==4986==ABORTING

-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Hossein Lotfi of Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

Supporting files:

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Presumably there was an attachment with the advisory mail and we'll get the testcase uploaded soon.

Keywords: csectype-uninitialized, sec-high, testcase-wanted

This is pretty light on context without the testcase. In the general area, I see that JS Records / Tuples are super broken in this ToBoolean code, but that feature is off by default. Filed that as Bug 1788535 and it is almost certainly unrelated.

"uninitialized variable" and "dereference of a high value address" suggests it could be MagicValue(JS_UNINITIALIZED_LEXICAL). Because we use XOR-unboxing, this would leave some of the high bits set when unboxing it as object and dereferencing (this is by design). I don't know how that turns into a remote code execution though.

The other option is that "uninitialized variable" refers to uninitialized memory on the stack, maybe in a JIT frame.

Attached file poc.html

Looks like the poc was missing? Apologies.

I can reproduce this in the JS shell. This is the MagicValue(JS_UNINITIALIZED_LEXICAL) case from comment 3.

Debug builds hit an assertion failure. Non-debug builds crash reliably dereferencing 0x480000000000a, an invalid address on 64-bit platforms. On 32-bit platforms this should crash at a near-null address. I don't think this is exploitable, but I'll take a closer look.

A simpler test case:

function f(i) {
    if (i === 14){
		g();
	}
	let val = 0;
	function g() {
        eval("");
        val ||= 1;
	}
	g();
}
for (var i = 0; i < 15; i++){
	f(i);
}

If I replace that ||= with += we crash in ToNumberSlow.

I think the problem is that the obscure JSOp::GetBoundName op (that we only use for certain compound assignments) doesn't check for uninitialized lexicals.

(In reply to Jan de Mooij [:jandem] from comment #7)

I think the problem is that the obscure JSOp::GetBoundName op (that we only use for certain compound assignments) doesn't check for uninitialized lexicals.

The BindName that precedes GetBoundName does the TDZ check, but we don't check for this from the CacheIR IC stub we generate in BindNameIRGenerator::tryAttachEnvironmentName.

  • When using a normal assignment (val = 1) or val ??= 1 we don't throw a ReferenceError even though we should.
  • In non-debug builds, with the other assignment operators we either crash in ToBooleanSlow (||=, &&=) or we throw TypeError: can't convert symbol to number (+=, |=, val++, --val, etc).

This is a nice find, but I still don't see anything that's exploitable.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Keywords: csectype-uninitialized

Setting S2 severity based on the crashing read address with no work-around for users.

Despite the bug title "Remote Code Execution", the bug description from ASan “this fault was caused by a dereference of a high value address” and from comment 5 / comment 8, suggest that this would not be exploitable.

Blocks: sm-security, sm-jits
Severity: -- → S2
Priority: -- → P1
Keywords: sec-high

Replace with more fine-grained CacheIR ops to avoid code duplication. This also
lets us reuse more code in the next part.

This is unlikely to affect performance because BindName is only used when
we don't know the scope chain statically (because of eval or similar).

Depends on D156460

Jan, can you help us and give this a sec rating?

Flags: needinfo?(jdemooij)

(In reply to Frederik Braun [:freddy] from comment #12)

Jan, can you help us and give this a sec rating?

I don't see a security issue here but it might make sense to keep it hidden given the title and comment 0. Maybe sec-low?

Flags: needinfo?(jdemooij)

If it isn't a security issue, we should unhide it. You can edit the "Remote Code Execution Vulnerability" in the summary to be more accurate.

Group: javascript-core-security
Summary: ZDI-CAN-18594: Mozilla Firefox JIT Boolean Conversion Uninitialized Variable Remote Code Execution Vulnerability → ZDI-CAN-18594: Mozilla Firefox JIT Boolean Conversion Crash due to missing check for uninitialized lexicals
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/db25a6f74394
part 1 - Remove LoadEnvironment*SlotResult ops. r=iain
https://hg.mozilla.org/integration/autoland/rev/5c7dddf497df
part 2 - Add lexical check to CacheIR stub for BindName. r=iain

https://hg.mozilla.org/mozilla-central/rev/db25a6f74394
https://hg.mozilla.org/mozilla-central/rev/5c7dddf497df

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox106: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: