The default bug view has changed. See this FAQ.

memory corruption involving boxObject.

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
11 years ago
9 years ago

People

(Reporter: georgi - hopefully not receiving bugspam, Assigned: neil@parkwaycc.co.uk)

Tracking

({fixed1.8.1, testcase, verified1.8.0.4})

Trunk
x86
Linux
fixed1.8.1, testcase, verified1.8.0.4
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.14 ?
blocking-aviary1.0.9 +
blocking1.8.0.4 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] uses freed objects)

Attachments

(3 attachments, 2 obsolete attachments)

memory corruption involving boxObject.

conside iframe i1 in iframe f1.
bo=i1.boxObject
set the location of f1 to "about:blank", probably destroying a lot of i1,
including bo.
enumerate bo and crash with $eip depending on previous actions.
in some cases abort() because of "pure virtual method".

vulnerable: ff 1.5latest and trunk, seamonkey trunk.
Created attachment 215402 [details]
inner iframe
Created attachment 215403 [details]
potential exploit
Bug 328839 is similar
(Assignee)

Comment 4

11 years ago
My trunk build crashes in nsBoxObject::GetElement where mContent has an incomplete virtual table (it points to __vt_7nsINode).
(Assignee)

Comment 5

11 years ago
This is a 1-line fix. We just need to check that document.getBoxObjectFor is getting a box object for an element in that document.
(Assignee)

Comment 6

11 years ago
Created attachment 215439 [details] [diff] [review]
Proposed patch

Which error code? document.getBoxObjectFor(null) throws NS_ERROR_UNEXPECTED; document.createElement("box").boxObject throws NS_ERROR_FAILURE.
Assignee: nobody → neil
Status: NEW → ASSIGNED
Attachment #215439 - Flags: superreview?(jst)
Attachment #215439 - Flags: review?(jst)
Comment on attachment 215439 [details] [diff] [review]
Proposed patch

How about NS_ERROR_DOM_WRONG_DOCUMENT_ERR?

r+sr=jst
Attachment #215439 - Flags: superreview?(jst)
Attachment #215439 - Flags: superreview+
Attachment #215439 - Flags: review?(jst)
Attachment #215439 - Flags: review+
Affects 1.0.x as well.
Flags: blocking1.8.0.3+
Flags: blocking-firefox2+
Flags: blocking-aviary1.0.9+
Whiteboard: [sg:critical?] uses freed objects
Attachment #215439 - Flags: approval1.8.0.3?
Attachment #215439 - Flags: approval-branch-1.8.1?
Attachment #215439 - Flags: approval-aviary1.0.9?
(Assignee)

Comment 9

11 years ago
Created attachment 215485 [details] [diff] [review]
Updated for check in
Attachment #215485 - Flags: approval1.8.0.3?
Attachment #215485 - Flags: approval-branch-1.8.1?(jst)
(Assignee)

Comment 10

11 years ago
Created attachment 215486 [details] [diff] [review]
Updated for check in

Attaching the right file this time ;-)
Attachment #215439 - Attachment is obsolete: true
Attachment #215485 - Attachment is obsolete: true
Attachment #215486 - Flags: approval1.8.0.3?
Attachment #215486 - Flags: approval-branch-1.8.1?(jst)
Attachment #215439 - Flags: approval1.8.0.3?
Attachment #215439 - Flags: approval-branch-1.8.1?
Attachment #215439 - Flags: approval-aviary1.0.9?
Attachment #215485 - Flags: approval1.8.0.3?
Attachment #215485 - Flags: approval-branch-1.8.1?(jst)
(Assignee)

Comment 11

11 years ago
Fix checked in to the trunk.

The patch applies to the 1.8 and 1.0.8 branches but neither of the 1.7 branches; I can try to run up a suitable patch but I won't be able to test it.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Component: Security → Security
Flags: review+
Flags: blocking-firefox2+
Product: Firefox → Core
Resolution: --- → FIXED

Updated

11 years ago
Attachment #215486 - Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
(Assignee)

Comment 12

11 years ago
Fix checked in to the 1.8 branch.
Keywords: fixed1.8.1
+  NS_ENSURE_TRUE(content->GetCurrentDoc() == this,
+                 NS_ERROR_DOM_WRONG_DOCUMENT_ERR);

while this stops the current crash, does it stop the following:

the inner frames gets the boxObject and pass it to the parent window (works, but no crash).

mean - is it safe or just my testcase is not l33t enough?

(Assignee)

Comment 14

11 years ago
(In reply to comment #13)
>+  NS_ENSURE_TRUE(content->GetCurrentDoc() == this,
>+                 NS_ERROR_DOM_WRONG_DOCUMENT_ERR);
>
>while this stops the current crash, does it stop the following:
>
>the inner frames gets the boxObject and pass it to the parent window (works, but no crash).
>
>mean - is it safe or just my testcase is not l33t enough?
Getting the box object from the correct document should already be safe.
(In reply to comment #14)

> Getting the box object from the correct document should already be safe.
> 

was the problem ref counting related?

(Assignee)

Comment 16

11 years ago
(In reply to comment #15)
>was the problem ref counting related?
Not directly. The box object's reference is cleared by the element's document.
You had bypassed that by getting a box object using an unrelated document.
(In reply to comment #16)
> Not directly. The box object's reference is cleared by the element's document.
> You had bypassed that by getting a box object using an unrelated document.

are there known other objects that are cleared by a document and can be accessed from unrelated documents?
 

(Assignee)

Comment 18

11 years ago
(In reply to comment #17)
>are there known other objects that are cleared by a document and can be
>accessed from unrelated documents?
I hope not! This one just happened to be in an area of code that I knew about.
Comment on attachment 215486 [details] [diff] [review]
Updated for check in

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #215486 - Flags: approval1.8.0.3? → approval1.8.0.3+
(Assignee)

Comment 20

11 years ago
Fix checked in to the 1.8.0 branch.
Keywords: fixed1.8.0.3

Comment 21

11 years ago
v.fixed on 1.8.0 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.2) Gecko/20060420 Firefox/1.5.0.2, no crash with testcase.
Keywords: fixed1.8.0.3 → testcase, verified1.8.0.3
Flags: blocking1.7.14?
Depends on: 340084

Comment 22

11 years ago
possible fallout in https://bugzilla.mozilla.org/show_bug.cgi?id=340084 ?
can't see the other bug, so can't comment.
Group: security
Depends on: 409111
You need to log in before you can comment on or make changes to this bug.