Last Comment Bug 315254 - CVE-2006-1529 Crash [@ js_FreeStack] involving the unknown protocol error dialog
: CVE-2006-1529 Crash [@ js_FreeStack] involving the unknown protocol error dialog
Status: RESOLVED FIXED
[sg:critical?] Doesn't appear to affe...
: crash, testcase, verified1.8.0.2, verified1.8.1
Product: Core
Classification: Components
Component: Networking (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
: benc
Mentors:
Depends on: 310508
Blocks: iexploder
  Show dependency treegraph
 
Reported: 2005-11-06 00:12 PST by Jesse Ruderman
Modified: 2007-04-05 13:44 PDT (History)
7 users (show)
dveditz: blocking1.8.0.1-
dveditz: blocking1.8.0.2+
bob: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase - crashes firefox when you dismiss the dialog (130 bytes, text/html)
2005-11-06 00:13 PST, Jesse Ruderman
no flags Details
apple crash report with stack trace (22.07 KB, text/plain)
2005-11-06 00:14 PST, Jesse Ruderman
no flags Details
valgrind log (27.25 KB, text/plain)
2005-11-06 23:36 PST, Andrew Schultz
no flags Details
testcase involving the password-in-URL warning (crashes Firefox) (350 bytes, text/html)
2005-11-07 16:48 PST, Jesse Ruderman
no flags Details

Description Jesse Ruderman 2005-11-06 00:12:24 PST
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051105 Firefox/1.6a1

Found using http://toadstool.se/software/iexploder/ (Tests #8200-8250).

See also bug 312680 and bug 74331.
Comment 1 Jesse Ruderman 2005-11-06 00:13:04 PST
Created attachment 201980 [details]
testcase - crashes firefox when you dismiss the dialog
Comment 2 Jesse Ruderman 2005-11-06 00:14:14 PST
Created attachment 201981 [details]
apple crash report with stack trace
Comment 3 Jesse Ruderman 2005-11-06 00:14:51 PST
TB11505985Z
Comment 4 Blake Kaplan (:mrbkap) 2005-11-06 02:50:55 PST
See also bug 315254.
Comment 5 Blake Kaplan (:mrbkap) 2005-11-06 02:51:31 PST
(In reply to comment #4)
> See also bug 315254.

It's late :-(... I meant to point to bug 310508.
Comment 6 Andrew Schultz 2005-11-06 23:36:26 PST
Created attachment 202069 [details]
valgrind log

With a debug build, I get this assertion when the dialog opens:
###!!! ASSERTION: JSContext still in threadjscontextstack!: '!tls->GetJSContextStack() || !tls->GetJSContextStack()-> DEBUG_StackHasJSContext(aJSContext)', file /build/andrew/moz-debug/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 1199

The fun in valgrind starts after I click OK in the dialog:
Invalid read of size 4
  JS_GetContextThread (jsapi.c:4744)
  XPCCallContext::XPCCallContext(XPCContext::LangType, JSContext*, JSObject*, JSObject*, long, unsigned, long*, long*) (xpccallcontext.cpp:99)
  nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) (xpcwrappedjsclass.cpp:1002)
  nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) (xpcwrappedjs.cpp:461)
  PrepareAndDispatch (xptcstubs_gcc_x86_unix.cpp:100)
  nsBrowserStatusFilter::ProcessTimeout() (nsBrowserStatusFilter.cpp:295)
  nsBrowserStatusFilter::TimeoutHandler(nsITimer*, void*) (nsBrowserStatusFilter.cpp:313)
  nsTimerImpl::Fire() (nsTimerImpl.cpp:400)
  handleTimerEvent(TimerEventType*) (nsTimerImpl.cpp:465)
  PL_HandleEvent (plevent.c:688) 
  PL_ProcessPendingEvents (plevent.c:623)
  nsEventQueueImpl::ProcessPendingEvents() (nsEventQueue.cpp:417)
 Address 0x20CBC010 is not stack'd, malloc'd or (recently) free'd
Comment 7 Marcia Knous [:marcia - use ni] 2005-11-07 16:32:47 PST
I saw this crash while testing today's candidate build - TB11570612Z. Using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051107 Firefox/1.5.
Comment 8 Jesse Ruderman 2005-11-07 16:47:15 PST
Marcia's crash involves a different networking-related dialog but probably has the same underlying problem.  I'll attach a testcase for Marcia's crash in a minute.
Comment 9 Jesse Ruderman 2005-11-07 16:48:07 PST
Created attachment 202177 [details]
testcase involving the password-in-URL warning (crashes Firefox)
Comment 10 Marc Bejarano 2005-11-10 23:18:19 PST
talkback: TB11693607G may be this
Comment 11 Daniel Veditz [:dveditz] 2005-12-15 11:46:21 PST
Probably exploitable given valgrind showing illegal memory writes
Comment 12 Daniel Veditz [:dveditz] 2005-12-15 12:03:15 PST
Another talkback: TB12992699

My crash looks like:
FreeArenaList  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsarena.c, line 335]
nsWindowWatcher::OpenWindow  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp, line 477]
nsPromptService::DoDialog  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp, line 634]
nsPromptService::Alert  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp, line 133]
nsPrompt::Alert  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsPrompt.cpp, line 217]
nsDocShell::DisplayLoadError  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3045]
nsDocShell::InternalLoad  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 6585]
nsDocShell::LoadURI  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 793]
nsFrameLoader::LoadFrame  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsFrameLoader.cpp, line 172]
nsGenericHTMLFrameElement::LoadSrc  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3538]
nsGenericElement::AppendChildTo  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2803]
SinkContext::OpenContainer  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 1221]
HTMLContentSink::OpenContainer  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 2933]
CNavDTD::HandleDefaultStartToken  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1283]
CNavDTD::HandleStartToken  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1668]
CNavDTD::HandleToken  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 955]
CNavDTD::BuildModel  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 458]
CNavDTD::BuildNeglectedTarget  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp, line 516]
Comment 13 Mike Schroepfer 2006-02-09 16:46:07 PST
Bkap - can you take a second look at this to figure out whether we can get it in 1.8.0.2?
Comment 14 Blake Kaplan (:mrbkap) 2006-02-23 13:58:45 PST
I think the patch I just attached to bug 310508 will fix this bug as well.
Comment 15 Blake Kaplan (:mrbkap) 2006-02-24 13:16:47 PST
This should now be fixed on trunk since the patch for bug 310508 is checked in.
Comment 16 Blake Kaplan (:mrbkap) 2006-02-27 13:29:03 PST
This is now fixed on the 1.8 branches (thanks to bug 310508).
Comment 17 Dave Liebreich [:davel] 2006-03-01 14:15:06 PST
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates)
Comment 18 Jay Patel [:jay] 2006-03-01 16:44:10 PST
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060301 Firefox/1.5.0.1, no crash with either testcase.
Comment 19 Bob Clary [:bc:] 2006-08-22 14:05:33 PDT
https://bugzilla.mozilla.org/attachment.cgi?id=201980
ff2b2 debug/nightly windows/linux no crash

https://bugzilla.mozilla.org/attachment.cgi?id=202177
ff2b2 debug/nightly windows/linux no crash

verified fixed 1.8

Note You need to log in before you can comment on or make changes to this bug.