Last Comment Bug 330818 - memory corruption involving boxObject.
: memory corruption involving boxObject.
Status: RESOLVED FIXED
[sg:critical?] uses freed objects
: fixed1.8.1, testcase, verified1.8.0.4
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: x86 Linux
: -- normal (vote)
: ---
Assigned To: neil@parkwaycc.co.uk
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
Depends on: 340084 409111
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-17 06:11 PST by georgi - hopefully not receiving bugspam
Modified: 2008-02-14 14:55 PST (History)
6 users (show)
dveditz: blocking1.7.14?
dveditz: blocking‑aviary1.0.9+
dveditz: blocking1.8.0.4+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
inner iframe (77 bytes, text/html)
2006-03-17 06:13 PST, georgi - hopefully not receiving bugspam
no flags Details
potential exploit (861 bytes, text/html)
2006-03-17 06:15 PST, georgi - hopefully not receiving bugspam
no flags Details
Proposed patch (665 bytes, patch)
2006-03-17 13:34 PST, neil@parkwaycc.co.uk
jst: superreview+
Details | Diff | Splinter Review
Updated for check in (698 bytes, patch)
2006-03-18 06:09 PST, neil@parkwaycc.co.uk
no flags Details | Diff | Splinter Review
Updated for check in (698 bytes, patch)
2006-03-18 06:11 PST, neil@parkwaycc.co.uk
jst: approval‑branch‑1.8.1+
dveditz: approval1.8.0.4+
Details | Diff | Splinter Review

Description georgi - hopefully not receiving bugspam 2006-03-17 06:11:46 PST
memory corruption involving boxObject.

conside iframe i1 in iframe f1.
bo=i1.boxObject
set the location of f1 to "about:blank", probably destroying a lot of i1,
including bo.
enumerate bo and crash with $eip depending on previous actions.
in some cases abort() because of "pure virtual method".

vulnerable: ff 1.5latest and trunk, seamonkey trunk.
Comment 1 georgi - hopefully not receiving bugspam 2006-03-17 06:13:47 PST
Created attachment 215402 [details]
inner iframe
Comment 2 georgi - hopefully not receiving bugspam 2006-03-17 06:15:33 PST
Created attachment 215403 [details]
potential exploit
Comment 3 georgi - hopefully not receiving bugspam 2006-03-17 06:20:57 PST
Bug 328839 is similar
Comment 4 neil@parkwaycc.co.uk 2006-03-17 09:57:05 PST
My trunk build crashes in nsBoxObject::GetElement where mContent has an incomplete virtual table (it points to __vt_7nsINode).
Comment 5 neil@parkwaycc.co.uk 2006-03-17 13:17:00 PST
This is a 1-line fix. We just need to check that document.getBoxObjectFor is getting a box object for an element in that document.
Comment 6 neil@parkwaycc.co.uk 2006-03-17 13:34:25 PST
Created attachment 215439 [details] [diff] [review]
Proposed patch

Which error code? document.getBoxObjectFor(null) throws NS_ERROR_UNEXPECTED; document.createElement("box").boxObject throws NS_ERROR_FAILURE.
Comment 7 Johnny Stenback (:jst, jst@mozilla.com) 2006-03-17 18:02:03 PST
Comment on attachment 215439 [details] [diff] [review]
Proposed patch

How about NS_ERROR_DOM_WRONG_DOCUMENT_ERR?

r+sr=jst
Comment 8 Daniel Veditz [:dveditz] 2006-03-17 21:48:53 PST
Affects 1.0.x as well.
Comment 9 neil@parkwaycc.co.uk 2006-03-18 06:09:59 PST
Created attachment 215485 [details] [diff] [review]
Updated for check in
Comment 10 neil@parkwaycc.co.uk 2006-03-18 06:11:50 PST
Created attachment 215486 [details] [diff] [review]
Updated for check in

Attaching the right file this time ;-)
Comment 11 neil@parkwaycc.co.uk 2006-03-18 06:15:58 PST
Fix checked in to the trunk.

The patch applies to the 1.8 and 1.0.8 branches but neither of the 1.7 branches; I can try to run up a suitable patch but I won't be able to test it.
Comment 12 neil@parkwaycc.co.uk 2006-03-18 09:04:55 PST
Fix checked in to the 1.8 branch.
Comment 13 georgi - hopefully not receiving bugspam 2006-03-20 04:06:15 PST
+  NS_ENSURE_TRUE(content->GetCurrentDoc() == this,
+                 NS_ERROR_DOM_WRONG_DOCUMENT_ERR);

while this stops the current crash, does it stop the following:

the inner frames gets the boxObject and pass it to the parent window (works, but no crash).

mean - is it safe or just my testcase is not l33t enough?

Comment 14 neil@parkwaycc.co.uk 2006-03-20 04:14:48 PST
(In reply to comment #13)
>+  NS_ENSURE_TRUE(content->GetCurrentDoc() == this,
>+                 NS_ERROR_DOM_WRONG_DOCUMENT_ERR);
>
>while this stops the current crash, does it stop the following:
>
>the inner frames gets the boxObject and pass it to the parent window (works, but no crash).
>
>mean - is it safe or just my testcase is not l33t enough?
Getting the box object from the correct document should already be safe.
Comment 15 georgi - hopefully not receiving bugspam 2006-03-20 04:45:18 PST
(In reply to comment #14)

> Getting the box object from the correct document should already be safe.
> 

was the problem ref counting related?

Comment 16 neil@parkwaycc.co.uk 2006-03-20 04:51:04 PST
(In reply to comment #15)
>was the problem ref counting related?
Not directly. The box object's reference is cleared by the element's document.
You had bypassed that by getting a box object using an unrelated document.
Comment 17 georgi - hopefully not receiving bugspam 2006-03-20 05:15:28 PST
(In reply to comment #16)
> Not directly. The box object's reference is cleared by the element's document.
> You had bypassed that by getting a box object using an unrelated document.

are there known other objects that are cleared by a document and can be accessed from unrelated documents?
 

Comment 18 neil@parkwaycc.co.uk 2006-03-20 08:45:44 PST
(In reply to comment #17)
>are there known other objects that are cleared by a document and can be
>accessed from unrelated documents?
I hope not! This one just happened to be in an area of code that I knew about.
Comment 19 Daniel Veditz [:dveditz] 2006-04-03 11:50:44 PDT
Comment on attachment 215486 [details] [diff] [review]
Updated for check in

approved for 1.8.0 branch, a=dveditz for drivers
Comment 20 neil@parkwaycc.co.uk 2006-04-03 15:43:00 PDT
Fix checked in to the 1.8.0 branch.
Comment 21 Jay Patel [:jay] 2006-04-20 15:59:51 PDT
v.fixed on 1.8.0 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.2) Gecko/20060420 Firefox/1.5.0.2, no crash with testcase.
Comment 22 chris hofmann 2006-06-02 07:42:54 PDT
possible fallout in https://bugzilla.mozilla.org/show_bug.cgi?id=340084 ?
Comment 23 georgi - hopefully not receiving bugspam 2006-06-02 11:00:07 PDT
can't see the other bug, so can't comment.

Note You need to log in before you can comment on or make changes to this bug.