Placeholder for Pwn2Own bug found in Firefox at CanSecWest 2009
jst said to start with Neil. Since this is a high profile bug (Firefox cracked during a public hacking contest) we need to focus on it. If we had a fix I'd like to shoehorn it into 126.96.36.199 even though we're past codefreeze (April release) but May's 188.8.131.52 is more realistic. Needs to make 3.5b4.
Windows and OSX stacks look quite different :/ Does this crash on trunk/1.9.1? If not, my guess is that bug 430214 fixed this. Especially this https://bugzilla.mozilla.org/attachment.cgi?id=348637&action=edit It changed nsTreeSelection::FireOnSelectHandler to asynchronous.
(In reply to comment #4) > Does this crash on trunk/1.9.1? I was told it does crash, so something else then...
Here's yet a different Windows crash, in Shiretoko rather than 3.0.7 bp-bccadf08-a8f0-4a6f-8374-47c802090323 what does nsTextServicesDocument::InitWithEditor have to do with this testcase?
This sounds like memory stomping somewhere. valgrind might shed some light.
Created attachment 368965 [details] safer starting point Here's a safer starting point. The guts of the testcase are still in the poc.zip, but this copy of hold.html has the shellcode replaced with %u4141...
Yeah, need to fix this for the reasons stated above. Neil: are you the right dude to be looking at this?
Created attachment 368977 [details] [diff] [review] patch Could someone please test this on non-linux.
I haven't yet checked if timer code should be actually fixed.
I tested this on 1.9.1 / 64bit linux / debug build
(In reply to comment #11) > I haven't yet checked if timer code should be actually fixed. But for 1.9.0 the patch might be the safest fix - shouldn't cause regressions.
Note that I never got the PoC to crash in a debug build so the patch will have to be verified in an opt build.
Comment on attachment 368977 [details] [diff] [review] patch So, InitWithFuncCallback is used, passing this is unsafe *unless* timer is canceled before deleting this.
Comment on attachment 368977 [details] [diff] [review] patch This makes sense. Good catch!
Comment on attachment 368977 [details] [diff] [review] patch r=dveditz Tested in opt builds and this patch stops the mac crashes I was seeing (I never got a debug build to crash). Since I was seeing completely different stacks on windows I'd like to verify this there as well.
Comment on attachment 368977 [details] [diff] [review] patch Does this have to go in on trunk and branch at the same time, or can we bake it there a bit first? Either way, it's a blocker, so doesn't need a191.
http://hg.mozilla.org/mozilla-central/rev/6955c8360d08 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/60caf43ff9c2 This does still need verification on windows.
The patch does fix the crash also on 1.9.0 (tested on linux).
The patch seems to fix the crash for me in my trunk debug build on windows XP.
Comment on attachment 368977 [details] [diff] [review] patch Approved for 184.108.40.206, a=dveditz for release-drivers Can you land this ASAP? we're well beyond code-freeze for 220.127.116.11
Checking in layout/xul/base/src/tree/src/nsTreeSelection.cpp; /cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp,v <-- nsTreeSelection.cpp new revision: 1.59; previous revision: 1.58 done
Stops the crash on windows for me as well (tested shiretoko tinderbox build).
Olli: Does this bug affect 1.8? We're taking it in a firedrilled Firefox 3.0.8, so if so, we'll want to get a patch ready for the distros to take.
I can't reproduce the crash on 1.8.1, but I don't know why. The code is the same. The patch applies to 1.8.1 too (just need to use --fuzz=3)
Ah, 1.8.1 doesn't seem to have bug 362680. So reproducing would need some changes to the testcase.
1.8.0 is in the same boat as above. patch applies with fuzz=3, but testcase doesn't work
Should this have a crashtest?
Not yet, IMO. As far as I know the testcase is not public yet.
This is CVE-2009-1044
No, MITRE assigned this based only off of the announcement from CanSecWest. If you look at the CVE id information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1044 There is nothing of consequence there. It's just a placeholder.
Verified using: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:18.104.22.168) Gecko/2009032608 Firefox/3.0.8 Also verified with Fx308 on Ubuntu 8.10 and Windows XP and Vista. Mac Fx307 crashed with the test case. Fx307 did not crash on Linux nor Windows(xp/vista) VMs for me. Fx307 did crash on a windows installation running on hardware, however.
Although the exploit doesn't affect the 1.8 branch because it uses functionality that doesn't exist there, we should take this small patch just in case there's another way to end up with a dangling selection timer.
Verified for 22.214.171.124 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199pre) Gecko/2009040206 GranParadiso/3.0.9pre (.NET CLR 3.5.30729) and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:188.8.131.52pre) Gecko/2009040204 GranParadiso/3.0.9pre. Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090402 Shiretoko/3.5b4pre.
Comment on attachment 368977 [details] [diff] [review] patch code is the same, so it seems it makes sense to take this.
fix checked into the 1.8.1 branch Checking in layout/xul/base/src/tree/src/nsTreeSelection.cpp; /cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp,v <-- nsTreeSelection.cpp new revision: 184.108.40.206; previous revision: 1.47