Closed Bug 319872 Opened 19 years ago Closed 19 years ago

CVE-2006-0297 probably an integer overflow in jsxml.c

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: guninski, Assigned: mrbkap)

Details

(Keywords: verified1.8.0.1, verified1.8.0.2, verified1.8.1, Whiteboard: [sg:investigate] critical? [rft-dl])

Attachments

(4 files, 1 obsolete file)

crash in free()
338 bytes, text/html
Details
Patch for checkin
3.79 KB, patch
brendan
: review+
dveditz
: approval1.8.0.1+
dveditz
: approval1.8.1+
Details | Diff | Splinter Review
e4x/Regress/regress-319872.js
2.22 KB, text/plain
Details
Fix the bad call
839 bytes, patch
brendan
: review+
brendan
: approval-branch-1.8.1+
brendan
: approval1.8.0.2+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 in jsxml.c:2351 EscapeAttributeValue if (c == '"') newlength += 5; else if (c == '<') newlength += 3; else if (c == '&' || c == '\n' || c == '\r' || c == '\t') newlength += 4; this seems somewhat suspicous, because of "int too big" problem (probably after multiplication with sizeof(jschar) ). some empirical evidence suggests SEGV in free() after hitting this code, though the exact codepath is not determined yet. exploitability will be determined later. debug builds die from abort(), but 1.5 release crashes in free. testcase to follow. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1220606272 (LWP 16742)] 0xb753e339 in free () from /lib/tls/libc.so.6 #0 0xb753e339 in free () from /lib/tls/libc.so.6 #1 0xb7fc2ea9 in js_ReportCompileErrorNumberUC () from /opt/firefox15/libmozjs.so #2 0xb7fc2ef7 in js_FinishStringBuffer () from /opt/firefox15/libmozjs.so #3 0xb7fd342d in js_IsXMLName () from /opt/firefox15/libmozjs.so #4 0xb7fd3954 in js_IsXMLName () from /opt/firefox15/libmozjs.so #5 0xb7fd9b62 in js_IsXMLName () from /opt/firefox15/libmozjs.so #6 0xb7f989b9 in js_Invoke () from /opt/firefox15/libmozjs.so #7 0xb7fa1717 in js_Interpret () from /opt/firefox15/libmozjs.so #8 0xb7f99011 in js_Execute () from /opt/firefox15/libmozjs.so #9 0xb7f78a28 in JS_EvaluateUCScriptForPrincipals () from /opt/firefox15/libmozjs.so (gdb) x/i $eip 0xb753e339 <free+73>: mov 0x4(%ecx),%eax (gdb) p/x $eax $1 = 0xb76037e4 (gdb) p/x $ecx $2 = 0xfffffff9 Reproducible: Always Steps to Reproduce: testcase Actual Results: crash in free() Expected Results: crash free
Version: unspecified → 1.5 Branch
Attached file crash in free()
crash in free()
Assignee: nobody → mrbkap
Component: Security → JavaScript Engine
Flags: blocking1.9a1+
Flags: blocking1.8.0.1+
Product: Firefox → Core
Whiteboard: [sg:investigate] critical?
Version: 1.5 Branch → 1.8 Branch
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: firefox → general
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla1.9alpha
no action, so adding management without offensing words. management knows better. good management.
I'm sorry for not commenting earlier. I have a patch in hand and am currently running it through tests to ensure that it does not introduce any regressions. I didn't bother commenting because I feel that, in general, the "Status" of a bug is sufficient to indicate that I am working on a fix. So there has certainly been action on this bug.
Attached patch patch v1 (obsolete) — Splinter Review
I cannot reproduce the crash on my machine (though it's brought almost to its knees), but this should fix the overflow. I also found a bug in the use of StringBuffer::grow (please excuse my dirty C++ syntax here!) where we were too agressively growing the string.
Attachment #205755 - Flags: review?(brendan)
Comment on attachment 205755 [details] [diff] [review] patch v1 > static JSBool > GrowStringBuffer(JSStringBuffer *sb, size_t newlength) > { > ptrdiff_t offset; > jschar *bp; > > offset = PTRDIFF(sb->ptr, sb->base, jschar); >- newlength += offset; >- bp = (jschar *) realloc(sb->base, (newlength + 1) * sizeof(jschar)); >+ newlength += offset + 1; >+ if (newlength > offset && newlength < ~(size_t)0 / sizeof(jschar)) Put this in number-line order: >+ if (offset < newlength && newlength < ~(size_t)0 / sizeof(jschar)) Also, you'll need to cast offset to (size_t) to shut up an MSVC warning. Pick these nits and r=me (new patch in bug only for branch landing and verification). Thanks for fixing these(! what was I thinking adding the offset in the callers?) bugs, /be
Attachment #205755 - Flags: review?(brendan) → review+
I added the cast and an assertion to make sure that casting |offset| wasn't going to do the wrong thing.
Attachment #205755 - Attachment is obsolete: true
Attachment #205762 - Flags: review?(brendan)
Comment on attachment 205762 [details] [diff] [review] Patch for checkin r=me, nominate for branches once this bakes a bit on the trunk. /be
Attachment #205762 - Flags: review?(brendan) → review+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Although there is a testcase outlined in this bug, it is one that doesn't complete in a time short enough to allow it to be placed in the normal JavaScript Test Library so I am marking this testcase-.
Flags: testcase-
Comment on attachment 205762 [details] [diff] [review] Patch for checkin Another security fix that has been thoroughly baked on the trunk. /be
Attachment #205762 - Flags: approval1.8.1?
Attachment #205762 - Flags: approval1.8.0.1?
Comment on attachment 205762 [details] [diff] [review] Patch for checkin a=dveditz for drivers
Attachment #205762 - Flags: approval1.8.1?
Attachment #205762 - Flags: approval1.8.1+
Attachment #205762 - Flags: approval1.8.0.1?
Attachment #205762 - Flags: approval1.8.0.1+
Fix checked into the branches.
Keywords: fixed1.8.0.1, fixed1.8.1
I've rethought the time limit and think we can put this in the automated tests after all. no crash in 1.8.0.1, 1.8.1, 1.9a1 on winxp 20060112 no crash in 1.8.0.1 linux 20060112 crash in 1.8.1 linux 20060112 TB13900472 libc.so.6 + 0x61e79 (0x00c3de79) FreeStringBuffer() [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsscan.c, line 823] crash in 1.9a1 linux 20060112 TB13900588 libc.so.6 + 0x61e79 (0x00e29e79) FreeStringBuffer() [/builds/tinderbox/Fx-Trunk/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsscan.c, line 823]
Status: RESOLVED → REOPENED
Flags: testcase- → testcase?
Keywords: fixed1.8.0.1, fixed1.8.1verified1.8.0.1
Resolution: FIXED → ---
Flags: testcase? → testcase+
Attached patch Fix the bad callSplinter Review
In a debug build, you would have noticed an assertion in jsscan.c. The problem is fairly obvious: in the case that !STRING_BUFFER_OK(&sb), we were reporting oom and jumping to out:, where we would only test for str != null (with no assignments to str outside of null) and try to free the sentinal value. Rearranging the label won't work, so here's the patch to not free when we don't want to.
Attachment #208787 - Flags: review?(brendan)
Comment on attachment 208787 [details] [diff] [review] Fix the bad call r=me, thanks for fixing this. /be
Attachment #208787 - Flags: review?(brendan)
Attachment #208787 - Flags: review+
Attachment #208787 - Flags: approval1.8.1?
Attachment #208787 - Flags: approval1.8.0.2?
Flags: blocking1.8.0.2?
Fixed on trunk, again.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8-
Keywords: fixed1.8.1
sorry for the bugspam, saw the checkin and thought the missing fixed1.8.1 was as oversight, but it was removed with comment 13
Keywords: fixed1.8.1
There are other issues with this that I need to sort out. I verified based on the results of the browser based tests which don't necessarily run long enough to show crashes. I am rebuilding with the patch in attachment 208787 [details] [diff] [review] to get a better idea of what is happening.
(In reply to comment #19) with attachment 208787 [details] [diff] [review] I crash in windows firefox 1.5 (1.8) JSHashNumber js_HashString(JSString *str) { JSHashNumber h; const jschar *s; size_t n; h = 0; for (s = JSSTRING_CHARS(str), n = JSSTRING_LENGTH(str); n; s++, n--) -> h = (h >> (JS_HASH_BITS - 4)) ^ (h << 4) ^ *s; return h; } h 0x00000000 n 0x2fa6001a + s 0x00000001 "" - str 0x0013dc48 length 0x2fa6001a + chars 0x00000001 "" js_HashString(JSString * 0x0013dc48) line 2811 + 19 bytes js_AtomizeString(JSContext * 0x00032dd8, JSString * 0x0013dc48, unsigned int 0x00000080) line 650 + 9 bytes js_AtomizeChars(JSContext * 0x00032dd8, const unsigned short * 0x00000001, unsigned int 0x2fa6001a, unsigned int 0x00000000) line 752 + 19 bytes js_GetToken(JSContext * 0x00032dd8, JSTokenStream * 0x004a9af8) line 1271 + 42 bytes js_MatchToken(JSContext * 0x00032dd8, JSTokenStream * 0x004a9af8, int 0x00000043) line 2130 + 13 bytes XMLTagContent(JSContext * 0x00032dd8, JSTokenStream * 0x004a9af8, JSTreeContext * 0x0013e308, int 0x0000003d, JSAtom * * 0x0013e244) line 3407 + 15 bytes XMLElementOrList(JSContext * 0x00032dd8, JSTokenStream * 0x004a9af8, JSTreeContext * 0x0013e308, int 0x00000000) line 3534 + 23 bytes XMLElementContent(JSContext * 0x00032dd8, JSTokenStream * 0x004a9af8, JSParseNode * 0x004a9dd0, JSTreeContext * 0x0013e308) line 3486 + 19 bytes XMLElementOrList(JSContext * 0x00032dd8, JSTokenStream * 0x004a9af8, JSTreeContext * 0x0013e308, int 0x00000000) line 3584 + 21 bytes XMLElementOrListRoot(JSContext * 0x00032dd8, JSTokenStream * 0x004a9af8, JSTreeContext * 0x0013e308, int 0x00000000) line 3671 + 21 bytes js_ParseXMLTokenStream(JSContext * 0x00032dd8, JSObject * 0x000387c8, JSTokenStream * 0x004a9af8, int 0x00000000) line 3717 + 24 bytes ParseXMLSource(JSContext * 0x00032dd8, JSString * 0x008d7ff8) line 1943 + 25 bytes ToXML(JSContext * 0x00032dd8, long 0x008d7ffc) line 2042 + 13 bytes XML(JSContext * 0x00032dd8, JSObject * 0x008d86a8, unsigned int 0x00000001, long * 0x0041db8c, long * 0x0013e524) line 7051 + 13 bytes js_Invoke(JSContext * 0x00032dd8, unsigned int 0x00000001, unsigned int 0x00000001) line 1177 + 23 bytes js_Interpret(JSContext * 0x00032dd8, unsigned char * 0x00420771, long * 0x0013ee20) line 3095 + 15 bytes js_Execute(JSContext * 0x00032dd8, JSObject * 0x000387c8, JSScript * 0x00420670, JSStackFrame * 0x00000000, unsigned int 0x00000000, long * 0x0013fecc) line 1423 + 19 bytes JS_ExecuteScript(JSContext * 0x00032dd8, JSObject * 0x000387c8, JSScript * 0x00420670, long * 0x0013fecc) line 3999 + 25 bytes Process(JSContext * 0x00032dd8, JSObject * 0x000387c8, char * 0x00032d2a) line 223 + 22 bytes ProcessArgs(JSContext * 0x00032dd8, JSObject * 0x000387c8, char * * 0x00032cc4, int 0x00000003) line 470 + 17 bytes main(int 0x00000003, char * * 0x00032cc4, char * * 0x00033268) line 2565 + 21 bytes JS! mainCRTStartup + 227 bytes KERNEL32! 7c816d4f() I am ASSuming this is related to the overlong string crash in bug 342422 and the int overflow is indeed resolved with this patch. I'll try the patch in bug 324422 combined with this.
Bob, would you file a new bug on that crash? If it turns out to be a dupe, we'll mark it then.
(In reply to comment #21) Filed Bug 324533
Summary: probably an integer overflow in jsxml.c → CVE-2006-0297 probably an integer overflow in jsxml.c
regarding CVE in the summary: i consider mitre/CVE corporate/government's puppies and have low opinion of them. mitre's "Steven M. Christey" <coley@linus.mitre.org> co-authored the "responsible disclosure draft rfc" which was obviously a corporate plot and was ditched by even the IETF - check the ietf archives for this corporate fiasco.
Attachment #208787 - Flags: approval1.8.1? → branch-1.8.1?(brendan)
Comment on attachment 208787 [details] [diff] [review] Fix the bad call approving for 1.8 and 1.8.0 branch checkin. /be
Attachment #208787 - Flags: branch-1.8.1?(brendan)
Attachment #208787 - Flags: branch-1.8.1+
Attachment #208787 - Flags: approval1.8.0.2?
Attachment #208787 - Flags: approval1.8.0.2+
Group: security
Flags: blocking1.8.0.2? → blocking1.8.0.2+
I don't have a stack for this, but this now crashes in 1.8/1.8.0.1 linux only in browser tests on e4x/Regress/regress-319872.js linux-1.8_2006020704 linux-1.8.0.1_2006020704
Keywords: verified1.8.0.1
Isn't that just bug 324533?
(In reply to comment #26) > Isn't that just bug 324533? > yeah.
Status: RESOLVED → VERIFIED
Keywords: verified1.8.0.1, verified1.8.1
Second fix checked into the 1.8.0.2 branch.
Keywords: fixed1.8.0.2
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates) since in-testsuite+ indicates a test case exists in the js test library.
Whiteboard: [sg:investigate] critical? → [sg:investigate] critical? [rft-dl]
(In reply to comment #29) > Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates) > since in-testsuite+ indicates a test case exists in the js test library. Are these status whiteboard marks documented somewhere? Thanks, /be
v ff 1.8.0.1/1.8/1.9 20060302 win/linux/mac
Keywords: fixed1.8.0.2verified1.8.0.2
Although I wasn't able to reproduce it with my local builds, I saw a crash in the trunk shell on windows from 20060328. No crashes in the browser versions of the tests or on mac or linux.
(In reply to comment #32) > No crashes in the browser versions of > the tests or on mac or linux. > for me linux trunk also seems safe.
Checking in regress-319872.js; /cvsroot/mozilla/js/tests/e4x/Regress/regress-319872.js,v <-- regress-319872.js initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: