Closed Bug 426892 Opened 16 years ago Closed 16 years ago

"Data Execution Prevention" error when clicking reply in gmail

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 425499

People

(Reporter: ravenousbugblatterbeast, Unassigned)

Details

(Keywords: crash) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5

Since upgrading from 3.0b4 to 3.0b5, approximately 50% of the time when I try and reply to a message Windows kills firefox.exe with the data execution prevention error. Showing details reveals the following:

Problem signature:
  Problem Event Name:	BEX
  Application Name:	firefox.exe
  Application Version:	1.9.0.3007
  Application Timestamp:	47eb31c2
  Fault Module Name:	StackHash_8d13
  Fault Module Version:	0.0.0.0
  Fault Module Timestamp:	00000000
  Exception Offset:	20202020
  Exception Code:	c0000005
  Exception Data:	00000008
  OS Version:	6.0.6000.2.0.0.256.1
  Locale ID:	2057
  Additional Information 1:	8d13
  Additional Information 2:	cdca9b1d21d12b77d84f02df48e34311
  Additional Information 3:	8d13
  Additional Information 4:	cdca9b1d21d12b77d84f02df48e34311


Reproducible: Sometimes

Steps to Reproduce:
1. Login to gmail
2. Click on a message thread in inbox
3. Click the reply button at the bottom of the thread
Actual Results:  
Windows kills the firefox process with the above error message


Flagging it as a security issue as I don't know if it leads to a remotely exploitable stack overflow or not.
I have now repeated this on a new profile, and this time the Mozilla Crash Report kicked in instead of Windows handling it, so there should now be a crash dump available.

In order to repeat the bug I had to install the Firebug 1.1.0b12 extension from www.getfirebug.com. In my original profile, I had followed google's advice about how to configure firebug not to slow down gmail. I did not change any firefox or firebug settings from their default on the new profile on which I repeated the bug.

Although this is probably a bug in the extension, it should still be treated as a Firefox issue, as a pure javascript extension with no compiled code of its own shouldn't be able to cause a DEP error.
Keywords: crash
See also bug 426621 filed today.

We need the crash id to tie a particular report to this bug. Please type "about:crashes" in the address bar (w/out the quotes) and hit return. Paste the crash-id into this bug (if you prepend "bp-" to the ID bugzilla will auto-link it to the crash-stats server).

Being shut down by DEP is bad, it hints that the problem might be exploitable on a system without similar no-execute protection.
Keywords: crash
Whiteboard: [sg:needinfo]
Keywords: crash
Crash info:

http://crash-stats.mozilla.com/report/index/2b0773ae-01d0-11dd-9cf9-001a4bd43ef6?date=2008-04-03-22

I also looked this on the firebug bug tracker here:

http://code.google.com/p/fbug/issues/detail?id=578

I have found I can reliably repeat the problem every time as follows:

1. Install Firefox 3.0b5
2. Install Firebug 1.10b12
3. Visit http://portal.wecreatestuff.com/portal.php

For me, it will crash as soon as the flash game file finishes downloading, but only when firebug is enabled. 

One more thing that may or may not be relevant: I am running on a 64-bit version of Windows Vista.
I cannot repeat the error on http://portal.wecreatestuff.com/portal.php
using the latest tinderbox build.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9pre) Gecko/2008040412 Minefield/3.0pre ID:2008040412

I can reproduce it on Firefox 3.0b5 using firebug 1.20a12.


Based on this I suggest that this is a dup of Bug 425499
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Group: security
Whiteboard: [sg:needinfo]
You need to log in before you can comment on or make changes to this bug.