Closed
Bug 426892
Opened 16 years ago
Closed 16 years ago
"Data Execution Prevention" error when clicking reply in gmail
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 425499
People
(Reporter: ravenousbugblatterbeast, Unassigned)
Details
(Keywords: crash)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 Since upgrading from 3.0b4 to 3.0b5, approximately 50% of the time when I try and reply to a message Windows kills firefox.exe with the data execution prevention error. Showing details reveals the following: Problem signature: Problem Event Name: BEX Application Name: firefox.exe Application Version: 1.9.0.3007 Application Timestamp: 47eb31c2 Fault Module Name: StackHash_8d13 Fault Module Version: 0.0.0.0 Fault Module Timestamp: 00000000 Exception Offset: 20202020 Exception Code: c0000005 Exception Data: 00000008 OS Version: 6.0.6000.2.0.0.256.1 Locale ID: 2057 Additional Information 1: 8d13 Additional Information 2: cdca9b1d21d12b77d84f02df48e34311 Additional Information 3: 8d13 Additional Information 4: cdca9b1d21d12b77d84f02df48e34311 Reproducible: Sometimes Steps to Reproduce: 1. Login to gmail 2. Click on a message thread in inbox 3. Click the reply button at the bottom of the thread Actual Results: Windows kills the firefox process with the above error message Flagging it as a security issue as I don't know if it leads to a remotely exploitable stack overflow or not.
Reporter | ||
Comment 1•16 years ago
|
||
I have now repeated this on a new profile, and this time the Mozilla Crash Report kicked in instead of Windows handling it, so there should now be a crash dump available. In order to repeat the bug I had to install the Firebug 1.1.0b12 extension from www.getfirebug.com. In my original profile, I had followed google's advice about how to configure firebug not to slow down gmail. I did not change any firefox or firebug settings from their default on the new profile on which I repeated the bug. Although this is probably a bug in the extension, it should still be treated as a Firefox issue, as a pure javascript extension with no compiled code of its own shouldn't be able to cause a DEP error.
Comment 2•16 years ago
|
||
See also bug 426621 filed today. We need the crash id to tie a particular report to this bug. Please type "about:crashes" in the address bar (w/out the quotes) and hit return. Paste the crash-id into this bug (if you prepend "bp-" to the ID bugzilla will auto-link it to the crash-stats server). Being shut down by DEP is bad, it hints that the problem might be exploitable on a system without similar no-execute protection.
Keywords: crash
Whiteboard: [sg:needinfo]
Reporter | ||
Comment 3•16 years ago
|
||
Crash info: http://crash-stats.mozilla.com/report/index/2b0773ae-01d0-11dd-9cf9-001a4bd43ef6?date=2008-04-03-22 I also looked this on the firebug bug tracker here: http://code.google.com/p/fbug/issues/detail?id=578 I have found I can reliably repeat the problem every time as follows: 1. Install Firefox 3.0b5 2. Install Firebug 1.10b12 3. Visit http://portal.wecreatestuff.com/portal.php For me, it will crash as soon as the flash game file finishes downloading, but only when firebug is enabled.
Reporter | ||
Comment 4•16 years ago
|
||
One more thing that may or may not be relevant: I am running on a 64-bit version of Windows Vista.
Reporter | ||
Comment 5•16 years ago
|
||
I cannot repeat the error on http://portal.wecreatestuff.com/portal.php using the latest tinderbox build. Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9pre) Gecko/2008040412 Minefield/3.0pre ID:2008040412 I can reproduce it on Firefox 3.0b5 using firebug 1.20a12.
Comment 6•16 years ago
|
||
Based on this I suggest that this is a dup of Bug 425499
Updated•16 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Updated•16 years ago
|
Group: security
Whiteboard: [sg:needinfo]
You need to log in
before you can comment on or make changes to this bug.
Description
•