Closed Bug 328839 Opened 18 years ago Closed 18 years ago

[FIX]print preview causes memory corruption at least via <xul:editor src='javascript

Categories

(Core :: XUL, defect, P1)

Product:
Core
Component:
XUL
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: guninski, Assigned: bzbarsky)

References

Details

(Keywords: fixed1.8.1, verified1.8.0.2, Whiteboard: [sg:critical][rft-dl])

Attachments

(6 files, 1 obsolete file)

xblv1
822 bytes, text/xml
Details
htmlv1
271 bytes, text/html
Details
Crash testcase that doesn't need print preview -- crashes on load
347 bytes, text/html
Details
Er, the real trunk patch
12.40 KB, patch
neil
: review+
jst
: superreview+
Details | Diff | Splinter Review
Patch for 1.8/1.8.0
12.63 KB, patch
neil
: review+
jst
: superreview+
jst
: approval-branch-1.8.1+
dveditz
: approval1.8.0.2+
Details | Diff | Splinter Review
Patch for the 1.7 branch
10.82 KB, patch
jst
: review+
neil
: superreview+
Details | Diff | Splinter Review 
print preview causes memory corruption at least via <xul:editor src='javascript

probably because of deleted object or bad cast.

stack:
#7  0x080ac2f9 in nsProfileLock::FatalSignalHandler (signo=11)
    at nsProfileLock.cpp:210
#8  <signal handler called>

#9  0x096f7d29 in ?? ()
#10 0x08482e85 in nsBoxObject::GetFrame (this=0x9686a44)
    at /opt/firefox-cvs/mozilla/layout/xul/base/src/nsBoxObject.cpp:169
#11 0x08483b90 in nsBoxObject::GetDocShell (this=0x9686a44, aResult=0xbfffca40)
    at /opt/firefox-cvs/mozilla/layout/xul/base/src/nsBoxObject.cpp:558
#12 0x084810f1 in nsEditorBoxObject::GetDocShell (this=0x9686a40, 
    aResult=0xbfffca40)
    at /opt/firefox-cvs/mozilla/layout/xul/base/src/nsEditorBoxObject.cpp:87
#13 0xb7ecb0c5 in XPTC_InvokeByIndex ()
    at /opt/firefox-cvs/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_gcc_x86_unix.cpp:69
#14 0x080f9d6e in XPCWrappedNative::CallMethod (ccx=@0xbfffcb20, 
    mode=XPCWrappedNative::CALL_METHOD)

(gdb) frame 9
#9  0x096f7d29 in ?? ()
(gdb) x/i $eip
0x96f7d29:      insb   (%dx),%es:(%edi)

exploitability is not clear, but seems easier than integer overflow imho.

1.5.0.1 doesn't seem affected by this.

testcase to follow.

the testcase may need to be print previewed several times.
Attached file xblv1 

    
    

    
  

      
      
      
      

        Attached file
          
        htmlv1
      

    


  

    
    

    
  
There's definite memory mangling here. The crash I got on windows (eventually -- hung up for a while) was in nsBoxObject::GetFrame on a null pointer, but the rest of the mPressShell object looked like a mixture of deleted and allocated stuff. Oh, and the null pointer was the vtbl which is another not-good sign.
Whiteboard: [sg:critical]

    
    

    
  
(In reply to comment #3)
> There's definite memory mangling here. The crash I got on windows (eventually
> -- hung up for a while) was in nsBoxObject::GetFrame on a null pointer, but the
> rest of the mPressShell object looked like a mixture of deleted and allocated
> stuff. Oh, and the null pointer was the vtbl which is another not-good sign.
> 

i am ready to bet this is not null dereference on linux.
seems dependent on previous actions and i managed to get $eip == 0xdadadada, though not reliably.

the "hung" is probably the creation of a js string several megabytes long.


    
    

    
  
OK, so box objects suck.  News at 11.

This is the usual "let's make a virtual call on a deleted object and let content control exactly when the object gets deleted" sorta thing.
Component: Security → XP Toolkit/Widgets: XUL
OS: Linux → All
Product: Firefox → Core
QA Contact: firefox → xptoolkit.xul
Hardware: PC → All
Whiteboard: [sg:critical]

    
  
Whiteboard: [sg:critical]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed patch (obsolete)
        — Splinter Review
      

    


  
On trunk I want to do a followup to nuke mPresShell altogether, but for now let's just deal with it dying.

        Attachment #213831 -
        Flags: superreview?(jst)

        Attachment #213831 -
        Flags: review?(neil)

    
    

    
  


  
Assignee: nobody → bzbarsky

        Attachment #213831 -
        Attachment is obsolete: true
Status: NEW → ASSIGNED

        Attachment #213832 -
        Flags: superreview?(jst)

        Attachment #213832 -
        Flags: review?(neil)

        Attachment #213831 -
        Flags: superreview?(jst)

        Attachment #213831 -
        Flags: review?(neil)

    
    

    
  


  

        Attachment #213834 -
        Flags: superreview?(jst)

        Attachment #213834 -
        Flags: review?(neil)

        Attachment #213834 -
        Flags: approval1.8.0.2?

        Attachment #213834 -
        Flags: approval-branch-1.8.1?(jst)

    
    

    
  


  
Please push the approvals out to the next security release if we've shipped already, but otherwise this is pretty much a guaranteed remote execution flaw, I suspect.

        Attachment #213837 -
        Flags: superreview?(neil)

        Attachment #213837 -
        Flags: review?(jst)

        Attachment #213837 -
        Flags: approval1.7.13?

        Attachment #213837 -
        Flags: approval-aviary1.0.8?

    
  
Flags: blocking1.8.1?
Flags: blocking1.8.0.2?
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Priority: -- → P1
Summary: print preview causes memory corruption at least via <xul:editor src='javascript → [FIX]print preview causes memory corruption at least via <xul:editor src='javascript
Target Milestone: --- → mozilla1.9alpha

    
  
Blocks: 329181

    
    

    
  
confirming bz's testcase.

running it 3 times (the first url at startup), always get:


#9  0xdadadada in ?? ()
#10 0x08482e85 in nsBoxObject::GetFrame (this=0x929bea0)

    
    

    
  
bz: if i understand correctly, the most exciting part in your testcase is
node.style.display = "none";
which causes something equivalent of delete of a C++ object, right?

    
    

    
  
Comment on attachment 213832 [details] [diff] [review]
Er, the real trunk patch

/me needs an "Edit All" link...

        Attachment #213832 -
        Flags: review?(neil) → review+

    
  

        Attachment #213834 -
        Flags: review?(neil) → review+

    
  

        Attachment #213837 -
        Flags: superreview?(neil) → superreview+

    
    

    
  
Georgi, yes.  Setting the display of an iframe to none deletes the presentation (not the DOM, just the layout obects) inside that iframe.

    
    

    
  
managed to overwrite mPresShell with js string, but not reliably and depending on previous actions.


Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.2+
Flags: blocking1.7.14+
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.9+
Flags: blocking-aviary1.0.8?

        Attachment #213837 -
        Flags: approval1.7.14?

        Attachment #213837 -
        Flags: approval1.7.13?

        Attachment #213837 -
        Flags: approval-aviary1.0.9?

        Attachment #213837 -
        Flags: approval-aviary1.0.8?

    
    

    
  
Comment on attachment 213834 [details] [diff] [review]
Patch for 1.8/1.8.0

approved for 1.8.0 branch pending sr=, a=dveditz for drivers

        Attachment #213834 -
        Flags: approval1.8.0.2? → approval1.8.0.2+

    
    

    
  
Comment on attachment 213832 [details] [diff] [review]
Er, the real trunk patch

sr=jst

        Attachment #213832 -
        Flags: superreview?(jst) → superreview+

    
    

    
  
Comment on attachment 213834 [details] [diff] [review]
Patch for 1.8/1.8.0

sr=jst

        Attachment #213834 -
        Flags: superreview?(jst)

        Attachment #213834 -
        Flags: superreview+

        Attachment #213834 -
        Flags: approval-branch-1.8.1?(jst)

        Attachment #213834 -
        Flags: approval-branch-1.8.1+

    
    

    
  
Comment on attachment 213837 [details] [diff] [review]
Patch for the 1.7 branch

r=jst

        Attachment #213837 -
        Flags: review?(jst) → review+

    
    

    
  
Fixed on trunk and both 1.8 branches.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.0.2, 
          
            fixed1.8.1
Resolution: --- → FIXED

    
    

    
  
today's trunk doesn't crash
Whiteboard: [sg:critical] → [sg:critical][rft-dl]

    
    

    
  
verified on the 1.8.0.2 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2. No crash using all three of the testcases listed in the attachment section. Adding keyword.
Keywords: fixed1.8.0.2verified1.8.0.2

    
    

    
  
Bug 330818 is more boxObject fun
Group: security
Group: security
Group: security

    
  
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets

        Attachment #213837 -
        Flags: approval1.7.14?

        Attachment #213837 -
        Flags: approval-aviary1.0.9?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: