327524 - Crash when using crypto.generateCRMFRequest(document.documentElement);

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[Martijn Wargers (dead)]

I'm filing this mainly as security sensitive, because I got the idea from bug 327126, but I guess it's probably not security sensitive.

See upcoming testcase, which crashes current trunk Mozilla build. 
It also crashes Mozilla1.7.12, so no (recent) regression.


Talkback ID: TB15160940G

0x00110111
js_GetSlotThreadSafe  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jslock.c, line 592]
JS_GetPrivate  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 2153]
nsScriptSecurityManager::GetFramePrincipal  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 2019]
nsScriptSecurityManager::GetPrincipalAndFrame  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 2050]
nsScriptSecurityManager::GetSubjectPrincipal  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 2092]
nsScriptSecurityManager::doGetSubjectPrincipal  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1690]
nsScriptSecurityManager::SubjectPrincipalIsSystem  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 1725]
nsContentUtils::IsCallerChrome  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsContentUtils.cpp, line 1016]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6051]
PresShell::HandleEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5858]
nsViewManager::HandleEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1725]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1678]
HandleEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 175]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1036]
nsWindow::DispatchFocus  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6068]
nsWindow::ProcessMessage  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4640]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1225]
USER32.dll + 0x27b17 (0x77d37b17)
USER32.dll + 0x2cdce (0x77d3cdce)
USER32.dll + 0x459d (0x77d1459d)
USER32.dll + 0x47b4 (0x77d147b4)
ntdll.dll + 0x2589f (0x77f6589f)
USER32.dll + 0x96ce (0x77d196ce)
PeekKeyAndIMEMessage  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 91]
nsAppShell::Run  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 128]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162]
main  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x1eb69 (0x77e5eb69)

Comment 1

[Martijn Wargers (dead)]

Attachment: testcase (crashes on load)

Comment 2

[Daniel Veditz [:dveditz]]

I get a similar stack, except in nsScriptSecurityManager::GetFramePrincipal calling JS_GetFrameFunctionObject.

Comment 3

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Bug 330900 may be related.

Comment 4

[Martijn Wargers (dead)]

Doesn't crash anymore in 2006-03-26 build, most likely fixed by bug 330900.

Comment 5

[Bob Clary [:bc] (inactive)]

crash test landed
http://hg.mozilla.org/mozilla-central/rev/b0a63ee1ed5f