Closed Bug 328839 Opened 20 years ago Closed 20 years ago

[FIX]print preview causes memory corruption at least via <xul:editor src='javascript

Categories

(Core :: XUL, defect, P1)

Product:
Core
Component:
XUL
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: guninski, Assigned: bzbarsky)

References

Details

(Keywords: fixed1.8.1, verified1.8.0.2, Whiteboard: [sg:critical][rft-dl])

Attachments

(6 files, 1 obsolete file)

xblv1
822 bytes, text/xml
Details
htmlv1
271 bytes, text/html
Details
Crash testcase that doesn't need print preview -- crashes on load
347 bytes, text/html
Details
Er, the real trunk patch
12.40 KB, patch
neil
: review+
jst
: superreview+
Details | Diff | Splinter Review
Patch for 1.8/1.8.0
12.63 KB, patch
neil
: review+
jst
: superreview+
jst
: approval-branch-1.8.1+
dveditz
: approval1.8.0.2+
Details | Diff | Splinter Review
Patch for the 1.7 branch
10.82 KB, patch
jst
: review+
neil
: superreview+
Details | Diff | Splinter Review
print preview causes memory corruption at least via <xul:editor src='javascript probably because of deleted object or bad cast. stack: #7 0x080ac2f9 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:210 #8 <signal handler called> #9 0x096f7d29 in ?? () #10 0x08482e85 in nsBoxObject::GetFrame (this=0x9686a44) at /opt/firefox-cvs/mozilla/layout/xul/base/src/nsBoxObject.cpp:169 #11 0x08483b90 in nsBoxObject::GetDocShell (this=0x9686a44, aResult=0xbfffca40) at /opt/firefox-cvs/mozilla/layout/xul/base/src/nsBoxObject.cpp:558 #12 0x084810f1 in nsEditorBoxObject::GetDocShell (this=0x9686a40, aResult=0xbfffca40) at /opt/firefox-cvs/mozilla/layout/xul/base/src/nsEditorBoxObject.cpp:87 #13 0xb7ecb0c5 in XPTC_InvokeByIndex () at /opt/firefox-cvs/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_gcc_x86_unix.cpp:69 #14 0x080f9d6e in XPCWrappedNative::CallMethod (ccx=@0xbfffcb20, mode=XPCWrappedNative::CALL_METHOD) (gdb) frame 9 #9 0x096f7d29 in ?? () (gdb) x/i $eip 0x96f7d29: insb (%dx),%es:(%edi) exploitability is not clear, but seems easier than integer overflow imho. 1.5.0.1 doesn't seem affected by this. testcase to follow. the testcase may need to be print previewed several times.
Attached file xblv1
Attached file htmlv1
There's definite memory mangling here. The crash I got on windows (eventually -- hung up for a while) was in nsBoxObject::GetFrame on a null pointer, but the rest of the mPressShell object looked like a mixture of deleted and allocated stuff. Oh, and the null pointer was the vtbl which is another not-good sign.
Whiteboard: [sg:critical]
(In reply to comment #3) > There's definite memory mangling here. The crash I got on windows (eventually > -- hung up for a while) was in nsBoxObject::GetFrame on a null pointer, but the > rest of the mPressShell object looked like a mixture of deleted and allocated > stuff. Oh, and the null pointer was the vtbl which is another not-good sign. > i am ready to bet this is not null dereference on linux. seems dependent on previous actions and i managed to get $eip == 0xdadadada, though not reliably. the "hung" is probably the creation of a js string several megabytes long.
OK, so box objects suck. News at 11. This is the usual "let's make a virtual call on a deleted object and let content control exactly when the object gets deleted" sorta thing.
Component: Security → XP Toolkit/Widgets: XUL
OS: Linux → All
Product: Firefox → Core
QA Contact: firefox → xptoolkit.xul
Hardware: PC → All
Whiteboard: [sg:critical]
Whiteboard: [sg:critical]
Attached patch Proposed patch (obsolete) — Splinter Review
On trunk I want to do a followup to nuke mPresShell altogether, but for now let's just deal with it dying.
Attachment #213831 - Flags: superreview?(jst)
Attachment #213831 - Flags: review?(neil)
Assignee: nobody → bzbarsky
Attachment #213831 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #213832 - Flags: superreview?(jst)
Attachment #213832 - Flags: review?(neil)
Attachment #213831 - Flags: superreview?(jst)
Attachment #213831 - Flags: review?(neil)
Attachment #213834 - Flags: superreview?(jst)
Attachment #213834 - Flags: review?(neil)
Attachment #213834 - Flags: approval1.8.0.2?
Attachment #213834 - Flags: approval-branch-1.8.1?(jst)
Please push the approvals out to the next security release if we've shipped already, but otherwise this is pretty much a guaranteed remote execution flaw, I suspect.
Attachment #213837 - Flags: superreview?(neil)
Attachment #213837 - Flags: review?(jst)
Attachment #213837 - Flags: approval1.7.13?
Attachment #213837 - Flags: approval-aviary1.0.8?
Flags: blocking1.8.1?
Flags: blocking1.8.0.2?
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Priority: -- → P1
Summary: print preview causes memory corruption at least via <xul:editor src='javascript → [FIX]print preview causes memory corruption at least via <xul:editor src='javascript
Target Milestone: --- → mozilla1.9alpha
Blocks: 329181
confirming bz's testcase. running it 3 times (the first url at startup), always get: #9 0xdadadada in ?? () #10 0x08482e85 in nsBoxObject::GetFrame (this=0x929bea0)
bz: if i understand correctly, the most exciting part in your testcase is node.style.display = "none"; which causes something equivalent of delete of a C++ object, right?
Comment on attachment 213832 [details] [diff] [review] Er, the real trunk patch /me needs an "Edit All" link...
Attachment #213832 - Flags: review?(neil) → review+
Attachment #213834 - Flags: review?(neil) → review+
Attachment #213837 - Flags: superreview?(neil) → superreview+
Georgi, yes. Setting the display of an iframe to none deletes the presentation (not the DOM, just the layout obects) inside that iframe.
managed to overwrite mPresShell with js string, but not reliably and depending on previous actions.
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.2+
Flags: blocking1.7.14+
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.9+
Flags: blocking-aviary1.0.8?
Attachment #213837 - Flags: approval1.7.14?
Attachment #213837 - Flags: approval1.7.13?
Attachment #213837 - Flags: approval-aviary1.0.9?
Attachment #213837 - Flags: approval-aviary1.0.8?
Comment on attachment 213834 [details] [diff] [review] Patch for 1.8/1.8.0 approved for 1.8.0 branch pending sr=, a=dveditz for drivers
Attachment #213834 - Flags: approval1.8.0.2? → approval1.8.0.2+
Comment on attachment 213832 [details] [diff] [review] Er, the real trunk patch sr=jst
Attachment #213832 - Flags: superreview?(jst) → superreview+
Comment on attachment 213834 [details] [diff] [review] Patch for 1.8/1.8.0 sr=jst
Attachment #213834 - Flags: superreview?(jst)
Attachment #213834 - Flags: superreview+
Attachment #213834 - Flags: approval-branch-1.8.1?(jst)
Attachment #213834 - Flags: approval-branch-1.8.1+
Comment on attachment 213837 [details] [diff] [review] Patch for the 1.7 branch r=jst
Attachment #213837 - Flags: review?(jst) → review+
Fixed on trunk and both 1.8 branches.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Keywords: fixed1.8.0.2, fixed1.8.1
Resolution: --- → FIXED
today's trunk doesn't crash
Whiteboard: [sg:critical] → [sg:critical][rft-dl]
verified on the 1.8.0.2 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2. No crash using all three of the testcases listed in the attachment section. Adding keyword.
Keywords: fixed1.8.0.2verified1.8.0.2
Bug 330818 is more boxObject fun
Group: security
Group: security
Group: security
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Attachment #213837 - Flags: approval1.7.14?
Attachment #213837 - Flags: approval-aviary1.0.9?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: