The default bug view has changed. See this FAQ.
Bug 484320 (CVE-2009-1044)

XUL <tree> _moveToEdgeShift garbage-collection exploit (zdi-can-465)

RESOLVED FIXED

Status

()

Core
XUL
P1
critical
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: dveditz, Assigned: smaug)

Tracking

(5 keywords)

unspecified
crash, fixed1.8.1.22, verified1.9.0.8, verified1.9.0.9, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
blocking1.9.0.8 +
blocking1.9.0.9 +
wanted1.9.0.x +
blocking1.8.1.next +
wanted1.8.1.x +
blocking1.8.0.next +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] ZDI CanSecWest 2009 bug; exploit is post 1.8-branch)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
Placeholder for Pwn2Own bug found in Firefox at CanSecWest 2009
(Reporter)

Comment 1

8 years ago
http://crash-stats.mozilla.com/report/index/8891b794-7cbe-4ace-85b9-48d602090320
Whiteboard: [sg:critical]
(Reporter)

Updated

8 years ago
Alias: ZDI-CAN-465
Severity: normal → critical
Component: Security → XUL
Keywords: crash
QA Contact: toolkit → xptoolkit.widgets
Summary: ZDI CanSecWest bug (ZDI-CAN-465) → XUL <tree> _moveToEdgeShift garbage-collection exploit
Whiteboard: [sg:critical] → [sg:critical] ZDI CanSecWest bug
(Reporter)

Comment 3

8 years ago
jst said to start with Neil. Since this is a high profile bug (Firefox cracked during a public hacking contest) we need to focus on it. If we had a fix I'd like to shoehorn it into 1.9.0.8 even though we're past codefreeze (April release) but May's 1.9.0.9 is more realistic. Needs to make 3.5b4.
Assignee: nobody → enndeakin
Flags: wanted1.9.0.x+
Flags: blocking1.9.1?
Flags: blocking1.9.0.9?
Flags: blocking1.9.0.8?
Windows and OSX stacks look quite different :/

Does this crash on trunk/1.9.1?
If not, my guess is that bug 430214 fixed this.
Especially this https://bugzilla.mozilla.org/attachment.cgi?id=348637&action=edit
It changed nsTreeSelection::FireOnSelectHandler to asynchronous.
(In reply to comment #4)
> Does this crash on trunk/1.9.1?
I was told it does crash, so something else then...
(Reporter)

Comment 6

8 years ago
Here's yet a different Windows crash, in Shiretoko rather than 3.0.7
bp-bccadf08-a8f0-4a6f-8374-47c802090323

what does nsTextServicesDocument::InitWithEditor have to do with this testcase?
This sounds like memory stomping somewhere. valgrind might shed some light.
(Reporter)

Comment 8

8 years ago
Created attachment 368965 [details]
safer starting point

Here's a safer starting point. The guts of the testcase are still in the poc.zip, but this copy of hold.html has the shellcode replaced with %u4141...
Yeah, need to fix this for the reasons stated above. Neil: are you the right dude to be looking at this?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
Created attachment 368977 [details] [diff] [review]
patch

Could someone please test this on non-linux.
I haven't yet checked if timer code should be actually fixed.
I tested this on 1.9.1 / 64bit linux / debug build
(In reply to comment #11)
> I haven't yet checked if timer code should be actually fixed.
But for 1.9.0 the patch might be the safest fix - shouldn't cause regressions.
(Reporter)

Comment 14

8 years ago
Note that I never got the PoC to crash in a debug build so the patch will have to be verified in an opt build.
Comment on attachment 368977 [details] [diff] [review]
patch

So, InitWithFuncCallback is used, passing this is unsafe *unless*
timer is canceled before deleting this.
Attachment #368977 - Flags: superreview?(mrbkap)
Attachment #368977 - Flags: review?(dveditz)
Assignee: enndeakin → Olli.Pettay
Comment on attachment 368977 [details] [diff] [review]
patch

This makes sense. Good catch!
Attachment #368977 - Flags: superreview?(mrbkap) → superreview+
(Reporter)

Comment 17

8 years ago
Comment on attachment 368977 [details] [diff] [review]
patch

r=dveditz

Tested in opt builds and this patch stops the mac crashes I was seeing (I never got a debug build to crash). Since I was seeing completely different stacks on windows I'd like to verify this there as well.
Attachment #368977 - Flags: review?(dveditz)
Attachment #368977 - Flags: review+
Attachment #368977 - Flags: approval1.9.1?
Attachment #368977 - Flags: approval1.9.0.8?
Comment on attachment 368977 [details] [diff] [review]
patch

Does this have to go in on trunk and branch at the same time, or can we bake it there a bit first? Either way, it's a blocker, so doesn't need a191.
Attachment #368977 - Flags: approval1.9.1?
http://hg.mozilla.org/mozilla-central/rev/6955c8360d08
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/60caf43ff9c2

This does still need verification on windows.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Keywords: fixed1.9.1
Resolution: --- → FIXED
The patch does fix the crash also on 1.9.0 (tested on linux).
The patch seems to fix the crash for me in my trunk debug build on windows XP.
(Reporter)

Updated

8 years ago
Flags: blocking1.9.0.9?
Flags: blocking1.9.0.8?
Flags: blocking1.9.0.8+
(Reporter)

Comment 22

8 years ago
Comment on attachment 368977 [details] [diff] [review]
patch

Approved for 1.9.0.8, a=dveditz for release-drivers

Can you land this ASAP? we're well beyond code-freeze for 1.9.0.8
Attachment #368977 - Flags: approval1.9.0.8? → approval1.9.0.8+
Checking in layout/xul/base/src/tree/src/nsTreeSelection.cpp;
/cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp,v  <--  nsTreeSelection.cpp
new revision: 1.59; previous revision: 1.58
done
Keywords: fixed1.9.0.8
(Reporter)

Comment 24

8 years ago
Stops the crash on windows for me as well (tested shiretoko tinderbox build).
Olli: Does this bug affect 1.8? We're taking it in a firedrilled Firefox 3.0.8, so if so, we'll want to get a patch ready for the distros to take.
Flags: blocking1.8.1.next?
Flags: blocking1.8.0.next?
I can't reproduce the crash on 1.8.1, but I don't know why.
The code is the same.

The patch applies to 1.8.1 too (just need to use --fuzz=3)
Ah, 1.8.1 doesn't seem to have bug 362680. So reproducing would need some
changes to the testcase.
(Reporter)

Updated

8 years ago
Keywords: fixed1.9.0.8
(Reporter)

Updated

8 years ago
Flags: blocking1.9.0.8+
1.8.0 is in the same boat as above.  patch applies with fuzz=3, but testcase doesn't work
Should this have a crashtest?
Not yet, IMO. As far as I know the testcase is not public yet.

Comment 31

8 years ago
This is CVE-2009-1044
(In reply to comment #31)
> This is CVE-2009-1044
But the testcase isn't public, right?

Comment 33

8 years ago
No, MITRE assigned this based only off of the announcement from CanSecWest.  If you look at the CVE id information:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1044

There is nothing of consequence there.  It's just a placeholder.
(Reporter)

Updated

8 years ago
Alias: ZDI-CAN-465 → CVE-2009-1044
Summary: XUL <tree> _moveToEdgeShift garbage-collection exploit → XUL <tree> _moveToEdgeShift garbage-collection exploit (zdi-can-465)
Verified using: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8) Gecko/2009032608 Firefox/3.0.8

Also verified with Fx308 on Ubuntu 8.10 and Windows XP and Vista.

Mac Fx307 crashed with the test case.

Fx307 did not crash on Linux nor Windows(xp/vista) VMs for me. Fx307 did crash on a windows installation running on hardware, however.
Keywords: fixed1.9.0.8 → verified1.9.0.8
(Reporter)

Updated

8 years ago
Group: core-security
(Reporter)

Comment 35

8 years ago
Although the exploit doesn't affect the 1.8 branch because it uses functionality that doesn't exist there, we should take this small patch just in case there's another way to end up with a dangling selection timer.
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x?
Flags: blocking1.8.1.next?
Flags: blocking1.8.1.next+
(Reporter)

Updated

8 years ago
Whiteboard: [sg:critical] ZDI CanSecWest bug → [sg:critical] ZDI CanSecWest bug; exploit is post 1.8-branch
Verified for 1.9.0.9 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.9pre) Gecko/2009040206 GranParadiso/3.0.9pre (.NET CLR 3.5.30729) and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.9pre) Gecko/2009040204 GranParadiso/3.0.9pre.

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090402 Shiretoko/3.5b4pre.
Keywords: fixed1.9.0.9, fixed1.9.1 → verified1.9.0.9, verified1.9.1

Updated

8 years ago
Attachment #368977 - Flags: approval1.8.1.next?
Attachment #368977 - Flags: approval1.8.0.next?

Comment 37

8 years ago
Comment on attachment 368977 [details] [diff] [review]
patch

code is the same, so it seems it makes sense to take this.

Updated

8 years ago
Flags: wanted1.8.0.x?
Flags: blocking1.8.0.next?
Flags: blocking1.8.0.next+

Updated

8 years ago
Attachment #368977 - Flags: approval1.8.0.next? → approval1.8.0.next+

Comment 38

8 years ago
Comment on attachment 368977 [details] [diff] [review]
patch

a=asac for 1.8.0
(Reporter)

Updated

8 years ago
Attachment #368977 - Flags: approval1.8.1.next? → approval1.8.1.next+
(Reporter)

Comment 39

8 years ago
fix checked into the 1.8.1 branch
Checking in layout/xul/base/src/tree/src/nsTreeSelection.cpp;
/cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp,v  <--  nsTreeSelection.cpp
new revision: 1.47.4.1; previous revision: 1.47
Keywords: fixed1.8.1.22
Whiteboard: [sg:critical] ZDI CanSecWest bug; exploit is post 1.8-branch → [sg:critical] ZDI CanSecWest 2009 bug; exploit is post 1.8-branch
You need to log in before you can comment on or make changes to this bug.