Closed
Bug 500574
Opened 15 years ago
Closed 13 years ago
valgrind - invalid reads/writes of size 1,2,4 with flash in Flash_EnforceLocalSecurity
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: meta, valgrind, Whiteboard: [sg:vector (Flash)] tracking flash fix)
Attachments
(6 files)
This is a flash bug, but I'm filing it here so we can get adobe to look at it. Flash 10 r 22. loading http://static.xhamster.com/etplayer2.swf causes numerous invalid reads and writes of sizes 1, 2, 4 in Flash.
Reporter | ||
Comment 1•15 years ago
|
||
Reporter | ||
Updated•15 years ago
|
Attachment #385288 -
Attachment is private: true
Comment 2•15 years ago
|
||
Peleus: we found this while investigating urls that cause a Firefox topcrash. This is probably unrelated to our topcrash since some of the stacks, like the one in bug 500105 comment 0, don't seem to have Flash loaded (surprisingly given its prevalence on the web). Invalid writes are bad juju we thought you should know about. Feel free to CC adobe folks on this bug so they can see it, or to move this to your internal bug system.
Whiteboard: [sg:vector (Flash)]
Updated•15 years ago
|
Attachment #385288 -
Attachment is private: false
Comment 3•15 years ago
|
||
Thanks. I have forwarded it to our internal team. I am out of the office next week so I will not be able to post any follow ups until after the fourth of July weekend.
Reporter | ||
Comment 4•15 years ago
|
||
Note: I also found flash valgrind read/write errors with the tagged.com urls in bug 500105 comment 2. They are appear to be in the advertisements, so you may need to try several times before you get the offender.
Reporter | ||
Comment 5•15 years ago
|
||
all of the swf on meebo's homepage also show invalid reads/writes. Either my build of valgrind is bad or there is a basic flaw in Flash on Mac OS X. Note that I did experience hangs at a minimum on meebo as well. I'll attach each here for analysis. Unless something else comes up, I'm done looking at bug 500105's hanging urls.
Reporter | ||
Comment 6•15 years ago
|
||
Reporter | ||
Comment 7•15 years ago
|
||
Reporter | ||
Comment 8•15 years ago
|
||
Updated•15 years ago
|
Keywords: meta
Whiteboard: [sg:vector (Flash)] → [sg:vector (Flash)] tracking flash fix
Reporter | ||
Updated•15 years ago
|
Summary: valgrind - invalid reads/writes of size 1,2,4 with flash → valgrind - invalid reads/writes of size 1,2,4 with flash in Flash_EnforceLocalSecurity
Reporter | ||
Comment 9•15 years ago
|
||
also http://www.wdr.de/themen/global/webmedia/webtv/getwebtv.phtml?ref=3212 and http://www.afterellen.com/blog/stuntdouble/taylor-swift-goes-hip-hop wdr.de crashed windows as well.
Reporter | ||
Comment 10•15 years ago
|
||
other examples of valgrind invalid reads/writes in Flash_EnforceLocalSecurity from the CFReadStreamGetStatus, Flash Player@0x91bd0 lists in bug 498971. I believe we have to assume that the majority of Mac only crashes in Flash can be blamed to some extent on this bug in Flash. http://dictionary.reference.com/search?q=ethnocentrism&db=luna http://espn.go.com/mlb/ http://espn.go.com/nba/ http://ihasahotdog.com/2009/06/11/funny-dog-picture-feel-better/ http://ihasahotdog.com/page/2/ http://microcontinuity.com/thanksforyourorder.php http://mlb.mlb.com/flash/mediaplayer/v4/R16/MP4.jsp?calendar_event_id=14-245284-2009-06-25&content_id=5188785&media_id=&view_key=&media_type=video&source=MLB&sponsor=MLB&clickOrigin=Medi http://mlb.mlb.com/flash/mediaplayer/v4/RC15/MP4.jsp?calendar_event_id=14-245211-2009-06-20&content_id=5065839&media_id=&view_key=&media_type=video&source=MLB&sponsor=MLB&clickOrigin=Med http://money.cnn.com/autos/index.html http://newsflavor.com/politics/international-relations/the-truth-about-the-israeli-palestine-conflict/ http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=53135053 http://smouch.net/lol/ http://www.amalah.com/ http://www.bravotv.com/the-real-housewives-of-new-jersey/videos/danielle-and-don-johnson http://www.bravotv.com/the-real-housewives-of-new-jersey/videos/knock-down-drag-out-fight http://www.campusfood.com/menu/toppingsCoupon.asp?campusid=362&restid=5874&couponid=21513&itemID=769920&sizenum=1&couponitemid=83670&campaignid=0&ccatid=1 http://www.cinematical.com/2009/06/22/on-sale-now-the-blade-runner-house/ http://www.comedycentral.com/
Reporter | ||
Comment 11•15 years ago
|
||
Michelle, sorry. I thought I had added you to this bug. Regarding your bug 498971 comment 7, I scanned several thousand urls where we crashed with signatures of CFReadStreamGetStatus or Flash Player (I ignored the list for Flash_EnforceLocalSecurity as I already had these examples). For example, bug 500939 contains several urls where I was able to reproduce the CFReadStreamGetStatus stack. I was not able to crash with the FlashPlayer list however. In addition, I found a number of urls which caused the browser to hang. I ran valgrind for mac on them and found that many if not most of them exhibited these invalid reads and writes in Flash_EnforceLocalSecurity. As you can see from http://crash-stats.mozilla.com/query/query?do_query=1&product=Firefox&version=Firefox%3A3.5&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query= http://crash-stats.mozilla.com/query/query?do_query=1&product=Firefox&version=Firefox%3A3.0.11&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query= Flash_EnforceLocalSecurity is our number 7 top crash in Firefox 3.5 and our top number 2 crash in Firefox 3.0.11. Regarding the severity of this bug in Flash, we pretty much consider an invalid write to be an indicator of an exploitable vulnerability.
Comment 12•15 years ago
|
||
We have investigated the CFReadStreamGetStatus crash, and it is a crash on a null pointer. We don't believe that any read/write is happening there.
Reporter | ||
Comment 13•15 years ago
|
||
Michelle, have you looked at the valgrind log in attachment 385290 [details] or tried the mac version of valgrind on the examples I attached to this bug? You can build valgrind for the mac from svn://svn.valgrind.org/valgrind/trunk ? If flash is stomping on memory, it could be crashing from with a variety of different stacks.
Reporter | ||
Comment 14•13 years ago
|
||
Flash 10.3.181.22 Loading each swf attachments. Fedora 14... No invalid reads or writes. Plenty of uninitialized uses and conditional uses of uninitialized data in the Flash plugin though. Mac OS X 10.5... No invalid reads or writes and no uninitialized uses.
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Comment 15•13 years ago
|
||
Probably all these reports are invalid and caused by the fact that the Flash player has its own implementation of malloc and free (or whatever) that Valgrind doesn't understand.
Reporter | ||
Comment 16•13 years ago
|
||
Sal, regarding Julian's comment 15, would you please comment on the validity of using valgrind to determine memory related errors in Flash on Linux and Mac?
Comment 17•13 years ago
|
||
let me forward the question to correct person who would know the details...
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•