Closed Bug 1915535 (CVE-2025-0238) Opened 11 months ago Closed 8 months ago

AddressSanitizer: heap-use-after-free on nsLineBreaker::FlushCurrentWord() after malloc failure

Categories

(Core :: Layout: Text and Fonts, defect, P2)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
135 Branch
Tracking Flags:
Tracking Status
firefox-esr115 134+ fixed
firefox-esr128 134+ fixed
firefox133 --- wontfix
firefox134 + fixed
firefox135 + fixed

People

(Reporter: sourc7, Assigned: jfkthame)

Details

(Keywords: csectype-uaf, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][adv-main134+][adv-ESR128.6+][adv-ESR115.19+])

Attachments

(13 files)

minidump_0x838d084d.txt
9.15 KB, text/plain
Details
minidump_0x6573752d.txt
9.15 KB, text/plain
Details
minidump_sigill_0xebfdc845.txt
9.31 KB, text/plain
Details
nsLineBreaker-FlushCurrentWord.patch
738 bytes, patch
Details | Diff | Splinter Review
testcase.forpatch.html
425 bytes, text/html
Details
log_ffp_asan_546144.log.552434.txt
22.29 KB, text/plain
Details
log_ffp_asan_1188513.log.1277779.txt
20.36 KB, text/plain
Details
minidump_esr115.txt
6.08 KB, text/plain
Details
Bug 1915535 - Ensure consistent cleanup in nsLineBreaker::FlushCurrentWord. r=#layout
48 bytes, text/x-phabricator-request
Details | Review
Bug 1915535 - Ensure consistent cleanup in nsLineBreaker::FlushCurrentWord. r=#layout
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1915535 - Ensure consistent cleanup in nsLineBreaker::FlushCurrentWord. r=#layout
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review
Bug 1915535 - [esr115] Ensure consistent cleanup in nsLineBreaker::FlushCurrentWord.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review
advisory.txt
194 bytes, text/plain
Details

After run document.execCommand("insertLineBreak") and setRangeText in loop, when malloc failure on nsLineBreaker::FlushCurrentWord() in if (!breakState.AppendElements(length, mozilla::fallible)) { Firefox able to crash with SIGSEGV/SEGV_ACCERR with changing address, sometimes SIGILL/ILL_ILLOPN with changing top stack, and ASan heap-use-after-free on nsLineBreaker::FlushCurrentWord() with READ of size 4 (32-bit) and READ of size 8 (64-bit) ASan build

Tested on:

  • Firefox 129.0.2 (32-bit)
  • Firefox Nightly 131.0a1 (2024-08-28) (32-bit)

Steps to reproduce:

  1. Apply attached nsLineBreaker-FlushCurrentWord.patch
  2. Compile Firefox
  3. Visit attached testcase.forpatch.html
  4. Firefox crash with SIGSEGV / SEGV_ACCERR or AddressSanitizer: heap-use-after-free on ASan build
Flags: sec-bounty?
Attached file testcase.forpatch.html

nsLineBreaker is under dom/ but it looks mostly related to text, so I'll put it in Layout.

I'm marking this sec-moderate because it requires an OOM. If you can demonstrate a reliable test case without patching Firefox, we could probably raise it to sec-high.

Group: firefox-core-security → layout-core-security
Component: Security → Layout: Text and Fonts
Keywords: csectype-uaf, sec-moderate
Product: Firefox → Core

(In reply to Andrew McCreight [:mccr8] from comment #7)

I'm marking this sec-moderate because it requires an OOM. If you can demonstrate a reliable test case without patching Firefox, we could probably raise it to sec-high.

Thanks, I originally able to reproduce this on Firefox Nightly 32-bit official build, however the testcase is still intermittent, I'll try to improve the testcase reliability to hit SEGV_ACCERR crash.

I also able to reproduce this on Firefox 115.14.0esr (32-bit).

Attached file minidump_esr115.txt

Let's start with S2, seems worth fixing.

Severity: -- → S2
Flags: needinfo?(jfkthame)
Priority: -- → P2

The problem here occurs because if we bail out of FlushCurrentWord due to an allocation failure (which could happen for either the breakState or capitalizationState arrays), we don't just fail to set up break positions and/or capitalization -- which is the expected result of the failure -- we also miss the final "cleanup" of state that's supposed to happen at the end of FlushCurrentWord.

That doesn't immediately cause a problem, but it does leave the mTextItems array holding pointers that were supposed to be cleared, and are about to be freed. So then by the next time we call FlushCurrentWord those items are no longer valid, and we crash trying to access them.

The fix should be to ensure that we always clear the mTextItems array when FlushCurrentWord finishes, even if an error occurred so that we weren't able to set up breaks.

After doing that, the testcase here just happily infinite-loops, as expected. (Presumably it will eventually OOM in some other place, as it is endlessly adding content...)

Flags: needinfo?(jfkthame)
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/10af4f9659db Ensure consistent cleanup in nsLineBreaker::FlushCurrentWord. r=layout-reviewers,emilio

Backed out for non-unified build bustage on nsLineBreaker.cpp:
https://hg.mozilla.org/integration/autoland/rev/03d28e6bd1f816bcdadefd0f0f9de55af1dbdc6d

Push with failures
Build log

[task 2024-12-02T18:24:07.272Z] 18:24:07    ERROR -  /builds/worker/checkouts/gecko/dom/base/nsLineBreaker.cpp:154:18: error: use of undeclared identifier 'MakeScopeExit'; did you mean 'mozilla::MakeScopeExit'?
[task 2024-12-02T18:24:07.273Z] 18:24:07     INFO -    154 |   auto cleanup = MakeScopeExit([&] {
[task 2024-12-02T18:24:07.274Z] 18:24:07     INFO -        |                  ^~~~~~~~~~~~~
[task 2024-12-02T18:24:07.274Z] 18:24:07     INFO -        |                  mozilla::MakeScopeExit
[task 2024-12-02T18:24:07.274Z] 18:24:07     INFO -  /builds/worker/workspace/obj-build/dist/include/mozilla/ScopeExit.h:119:39: note: 'mozilla::MakeScopeExit' declared here
[task 2024-12-02T18:24:07.274Z] 18:24:07     INFO -    119 | [[nodiscard]] ScopeExit<ExitFunction> MakeScopeExit(
[task 2024-12-02T18:24:07.274Z] 18:24:07     INFO -        |                                       ^
Flags: needinfo?(jfkthame)
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ac1f0158c2f2 Ensure consistent cleanup in nsLineBreaker::FlushCurrentWord. r=layout-reviewers,emilio

https://hg.mozilla.org/mozilla-central/rev/ac1f0158c2f2

Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
status-firefox135: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch

The patch landed in nightly and beta is affected.
:jfkthame, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox134 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jfkthame)
Attachment #9441645 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: potential use-after-free after a memory-allocation failure
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: n/a
  • Risk associated with taking this patch: low
  • Explanation of risk level: Just ensures early-return codepaths don't skip required cleanup
  • String changes made/needed: none
  • Is Android affected?: yes
Flags: needinfo?(jfkthame)
Flags: sec-bounty? → sec-bounty+
Attachment #9441645 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-

Please nominate this for ESR128 and ESR115 approval. It'll need a minor bit of rebasing for ESR115.

Flags: needinfo?(jfkthame)
Attachment #9443207 - Flags: approval-mozilla-esr128?

esr128 Uplift Approval Request

  • User impact if declined: potential use-after-free after a memory-allocation failure
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: n/a
  • Risk associated with taking this patch: low
  • Explanation of risk level: Just ensures early-return codepaths don't skip required cleanup
  • String changes made/needed: none
  • Is Android affected?: yes
Attachment #9443220 - Flags: approval-mozilla-esr115?

esr115 Uplift Approval Request

  • User impact if declined: potential use-after-free after a memory-allocation failure
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: n/a
  • Risk associated with taking this patch: low
  • Explanation of risk level: Just ensures early-return codepaths don't skip required cleanup
  • String changes made/needed: none
  • Is Android affected?: yes
Flags: needinfo?(jfkthame)
Attachment #9443220 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9443207 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Whiteboard: [client-bounty-form] → [client-bounty-form][adv-main134+][adv-ESR128.6+][adv-ESR115.19+]
Alias: CVE-2025-0238
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: