Bug 428669 (CVE-2008-1380)

Crash testcase for bug 425576

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
9 years ago
4 years ago

People

(Reporter: moz_bug_r_a4, Unassigned)

Tracking

({crash, testcase, verified1.8.1.14})

1.8 Branch
x86
Windows XP
crash, testcase, verified1.8.1.14
Points:
---
Bug Flags:
blocking1.8.1.14 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] fixed by 425576)

Attachments

(2 attachments)

(Reporter)

Description

9 years ago
I'm filing this bug to attach a testcase for bug 425576, since I'm not sure
whether this is an exploitable crash or not.

Upcoming testcase is based on http://www.exblog.jp/ page and bug 425576 comment
#38.
(Reporter)

Comment 1

9 years ago
Created attachment 315278 [details]
testcase - page A

This testcase consists of two pages.  Cross origin page B is:
http://landfill.bugzilla.org/bugzilla-3.0-branch/attachment.cgi?id=904

Note:
* You need to set pref security.warn_leaving_secure to false.
* If bfcache is disabled, this testcase is not reproducible.

Steps to reproduce:
1. Load the page A.
2. Click "Click me!" button.
3. Wait a few seconds.

fx-2.0.0.14pre-2008-04-01-03: crash
fx-2.0.0.14pre-2008-04-02-03: no crash

Here is what happens with this testcase:
1. In the page A, set focus on an input element that has onblur attribute.
2. Load the cross origin page B.
3. Unload the page B before <body> element starts.
4. Firefox tries to compile onblur event handler of the input element in the
   page A in bfcache, and fails in JS_CompileUCFunctionForPrincipals.  (Error
   Console shows this error: Error: uncaught exception: Permission denied to
   set property EventTarget.addEventListener)
Depends on: 425576
Keywords: crash, testcase
Whiteboard: [sg:critical?]
Created attachment 315303 [details]
Crash log from 10.5

Here's a crash log from 10.5.

See also, bug 425594 and the attachment in bug 425576.

The top of the first thread using this testcase is:

Thread 0 Crashed:
0   libmozjs.dylib                	0x00c4dfb7 js_MarkGCThing + 26
1   libmozjs.dylib                	0x00c4ee71 js_GC + 1955
2   libmozjs.dylib                	0x00c223e5 JS_GC + 50
3   org.mozilla.firefox           	0x005014ec nsJSContext::SetGCOnDestruction(int) + 86


Compared to the testcase in bug 425576, which crashes at:

Thread 0 Crashed:
0   libmozjs.dylib                	0x00c4ee4e js_GC + 1920
1   libmozjs.dylib                	0x00c2240b JS_GC + 88
2   org.mozilla.firefox           	0x005042b1 nsJSContext::DOMBranchCallback(JSContext*, JSScript*) + 125
3   libmozjs.dylib                	0x00c5bafb js_Interpret + 43126
Keywords: fixed1.8.1.14
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 425576
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.14) Gecko/2008040413 Firefox/2.0.0.14.

This crashes 2.0.0.13 but not 2.0.0.14 as comment 1 says.
Flags: blocking1.8.1.14+
Keywords: fixed1.8.1.14 → verified1.8.1.14
Alias: CVE-2008-1380
Group: security
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Keywords: fixed1.8.1.15
Resolution: --- → FIXED
Flags: in-testsuite?
Keywords: fixed1.8.1.15
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.