Closed
Bug 466576
Opened 16 years ago
Closed 16 years ago
Null deref [@ nsSVGTransformList::GetValueString] after failed appendItem
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b3
People
(Reporter: jruderman, Assigned: longsonr)
Details
(4 keywords, Whiteboard: [sg:dos])
Crash Data
Attachments
(2 files)
376 bytes,
application/xhtml+xml
|
Details | |
6.40 KB,
patch
|
roc
:
review+
roc
:
superreview+
beltzner
:
approval1.9.1+
dveditz
:
approval1.9.0.12+
|
Details | Diff | Splinter Review |
appendItem throws "Error: Permission denied for <file://> to create wrapper for object of class UnnamedClass" but sets up innerHTML for a crash.
Assignee | ||
Comment 1•16 years ago
|
||
Similar patch to bug 372046. Tells us there that we have a problem bug 372046 comment 7
Assignee: nobody → longsonr
Attachment #350063 -
Flags: superreview?(roc)
Attachment #350063 -
Flags: review?(roc)
Assignee | ||
Updated•16 years ago
|
OS: Mac OS X → All
Hardware: PC → All
I'm confused. Why are {} and function(){} treated as valid values for arbitrary XPCOM interfaces? Shouldn't XPConnect be throwing before we get into C++?
In fact, I think allowing untrusted script to implement our DOM interfaces is, in almost all cases, a huge mistake. Trying to bulletproof our code to handle it is a fool's errand IMHO.
Comment 4•16 years ago
|
||
(In reply to comment #2) > I'm confused. Why are {} and function(){} treated as valid values for arbitrary > XPCOM interfaces? Shouldn't XPConnect be throwing before we get into C++? There are cases like event listeners when {} should be supported. (Though usually it is { handleEvent: function (evt) {} }) We have had similar crashes before at least in SVG, found by some fuzzer IIRC. DOM APIs convert parameters to nsINode or similar so those should be safe. At least I haven't noticed any problematic code. I thought it is very well known fact that {} can be used as an implementation of a scriptable interface.
I know there are a few XPCOM/DOM interfaces which need to be implementable by client script. And I know functions should be usable for "function callback" DOM interfaces. But these should be the exception rather than the rule, shouldn't they?
> DOM APIs convert parameters to nsINode or similar so those should be safe.
How does that work? It looks to me like content code just calls NODE_FROM which does a static_cast from nsIDOMNode* to nsINode*. How do we know that's safe?
Comment 6•16 years ago
|
||
NODE_FROM isn't used with nsIDOMNodes, only with nsINode/nsIContent/nsIDocument
Comment 7•16 years ago
|
||
insertBefore/appendChild/replaceChild/etc DOM methods QI the parameters to nsIContent, which is C++ only interface. Code which handles attribute nodes uses nsIAttribute, not nsIDOMAttr, range code uses nsIRange, not nsIDOMRange...
Attachment #350063 -
Flags: superreview?(roc)
Attachment #350063 -
Flags: superreview+
Attachment #350063 -
Flags: review?(roc)
Attachment #350063 -
Flags: review+
Comment on attachment 350063 [details] [diff] [review] patch [Checkin: Comment 11 & 13] OK, I still think it's really poor to have to allow untrusted JS to implement DOM interfaces willy-nilly, but if I can't convince anyone of that, then I guess we need this.
Assignee | ||
Updated•16 years ago
|
Attachment #350063 -
Flags: approval1.9.1?
Assignee | ||
Comment 9•16 years ago
|
||
Comment on attachment 350063 [details] [diff] [review] patch [Checkin: Comment 11 & 13] The patch is similar in structure to bug 372046 which we've had in the codebase for a long time. Hopefully that means this patch will be low risk. The first attachment can become a crashtest.
Comment 10•16 years ago
|
||
We've thought in the past about only allowing certain DOM interfaces to be implemented, yes. That would require some XPConnect changes, of course, and some DOM interfaces do need to be implementable by random JS objects, not all of which are functions. So we'd have to do some annotation on a per-interface basis...
Assignee | ||
Updated•16 years ago
|
Whiteboard: checkin-needed
Assignee | ||
Updated•16 years ago
|
Whiteboard: checkin-needed
Assignee | ||
Updated•16 years ago
|
Whiteboard: checkin-needed
Keywords: checkin-needed
Whiteboard: checkin-needed → [needs landing]
Comment 11•16 years ago
|
||
Comment on attachment 350063 [details] [diff] [review] patch [Checkin: Comment 11 & 13] http://hg.mozilla.org/mozilla-central/rev/95220a88eb95
Attachment #350063 -
Attachment description: patch → patch
[Checkin: Comment 11]
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Keywords: checkin-needed
Resolution: --- → FIXED
Whiteboard: [needs landing]
Target Milestone: --- → mozilla1.9.2a1
Comment 12•16 years ago
|
||
Comment on attachment 350063 [details] [diff] [review] patch [Checkin: Comment 11 & 13] a191=beltzner
Attachment #350063 -
Flags: approval1.9.1? → approval1.9.1+
Assignee | ||
Updated•16 years ago
|
Keywords: checkin-needed
Whiteboard: [needs landing on 1.9.1]
Comment 13•16 years ago
|
||
Comment on attachment 350063 [details] [diff] [review] patch [Checkin: Comment 11 & 13] http://hg.mozilla.org/releases/mozilla-1.9.1/rev/e613045aa8a9
Attachment #350063 -
Attachment description: patch
[Checkin: Comment 11] → patch
[Checkin: Comment 11 & 13]
Updated•16 years ago
|
Keywords: checkin-needed → fixed1.9.1
Whiteboard: [needs landing on 1.9.1]
Target Milestone: mozilla1.9.2a1 → mozilla1.9.1b3
Reporter | ||
Updated•16 years ago
|
Flags: in-testsuite? → in-testsuite+
Comment 14•15 years ago
|
||
Seeing that there haven't been any duplicate sightings for this issue for 3 months, I'm going to go ahead and verify this unless someone has an issue with that.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Comment 15•15 years ago
|
||
1.9.0 PROBABLY_EXPLOITABLE: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!nsSVGTransformList::GetValueString
Flags: blocking1.9.0.11?
Comment 16•15 years ago
|
||
we'll put blocking at 1.9.0.12 since we're winding down 1.9.0.11 and don't want to hound you, but we'll approve the patch for 1.9.0.11 if you want and can get to it (add the approval request flag). Code-freeze is Wednesday May 6.(In reply to comment #15) > 1.9.0 > PROBABLY_EXPLOITABLE: Probably Exploitable - Data from Faulting Address > controls Code Flow starting at gklayout!nsSVGTransformList::GetValueString This is one of the our code patterns that !exploitable gets wrong. We're getting a null deref because we've explicitly nulled out the value. !exploitable worries that if the null is there because it was unexpected then maybe it could just as easily be some other value and therefore be exploited. !exploitable is biased toward "no false negatives".
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.12+
Flags: blocking1.9.0.11?
Updated•15 years ago
|
Whiteboard: [sg:dos]
Assignee | ||
Comment 17•15 years ago
|
||
Comment on attachment 350063 [details] [diff] [review] patch [Checkin: Comment 11 & 13] This has been in the trunk for a while and is in 3.1 beta 3. The patch applies cleanly to 3.0 and stops the testcase crashing there too.
Attachment #350063 -
Flags: approval1.9.0.12?
Comment 18•15 years ago
|
||
Comment on attachment 350063 [details] [diff] [review] patch [Checkin: Comment 11 & 13] Approved for 1.9.0.12, a=dveditz for release-drivers
Attachment #350063 -
Flags: approval1.9.0.12? → approval1.9.0.12+
Assignee | ||
Updated•15 years ago
|
Keywords: fixed1.9.0.12
Comment 19•15 years ago
|
||
Verified for 1.9.0.12 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12pre) Gecko/2009070105 GranParadiso/3.0.12pre (.NET CLR 3.5.30729). Testcase no longer crashes as it does with 1.9.0.11.
Keywords: fixed1.9.0.12 → verified1.9.0.12
Updated•13 years ago
|
Crash Signature: [@ nsSVGTransformList::GetValueString]
You need to log in
before you can comment on or make changes to this bug.
Description
•