Closed Bug 505305 Opened 11 years ago Closed 11 years ago

Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a

Categories

(Core :: JavaScript Engine, defect, P2, critical)

1.9.1 Branch
x86
Windows XP
defect

Tracking

()

RESOLVED FIXED
Tracking Status
blocking1.9.1 --- .2+
status1.9.1 --- .2-fixed

People

(Reporter: cbook, Assigned: mrbkap)

References

()

Details

(5 keywords, Whiteboard: [needs 1.8 landing][sg:critical?])

Attachments

(3 files)

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716
Shiretoko/3.5.1pre

Steps to reproduce:

-Load : http://www.donorschoose.org/donors/
search.html?page=9&keywords=music&max=50
-> Crash

(eb4.ac0): Access violation - code c0000005 (!!! second chance !!!)
eax=04b4d0da ebx=7ffd4000 ecx=3f6fdc36 edx=00000002 esi=06f56000 edi=06f47208
eip=1023d53a esp=0012e240 ebp=0012e248 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
-
MSVCR80D!memcpy+0x5a:
1023d53a f3a5            rep movs dword ptr es:[edi],dword ptr [esi] es:0023:06f47208=dddddddd ds:0023:06f56000=????????
0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitable;k;q'

Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a (Hash=0x6e021839.0x70393e49)

This is a read access violation in a block data move, and is therefore classified as probably exploitable.
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e248 005ad1a4 MSVCR80D!memcpy+0x5a
0012e28c 005ac540 js3250!do_replace+0x134
0012e310 005ac1a2 js3250!js_StringReplaceHelper+0x370
0012e334 0051aeba js3250!str_replace+0x82
0012ea64 0050709c js3250!js_Interpret+0x1179a
0012eb40 00507962 js3250!js_Invoke+0x95c
0012eb64 004b30ed js3250!js_InternalInvoke+0x82
0012eb8c 03016620 js3250!JS_CallFunctionValue+0x5d
0012ec3c 0307a2d9 gklayout!nsJSContext::CallEventHandler+0x2a0
0012eeb0 02ecee75 gklayout!nsJSEventListener::HandleEvent+0x10d9
0012ef9c 02ecf288 gklayout!nsEventListenerManager::HandleEventSubType+0x195
0012f010 02ed2ec0 gklayout!nsEventListenerManager::HandleEvent+0x398
0012f050 02ed3104 gklayout!nsEventTargetChainItem::HandleEvent+0x130
0012f08c 02ed381e gklayout!nsEventTargetChainItem::HandleEventTargetChain+0x194
0012f158 02bf0595 gklayout!nsEventDispatcher::Dispatch+0x51e
0012f1e0 03a1788c gklayout!DocumentViewerImpl::LoadComplete+0x1c5
0012f21c 039fa127 docshell!nsDocShell::EndPageLoad+0x8c
0012f5f0 03a1752a docshell!nsWebShell::EndPageLoad+0x127
0012f640 03a41149 docshell!nsDocShell::OnStateChange+0x2ea
0012f6ec 03a402eb docshell!nsDocLoader::FireOnStateChange+0x1f9
quit:
MSVCR80D ?  not MOZCRT19 ?  Why isn't this using Moz's CRT?
because jemalloc won't build on debug windows.
Duplicate of this bug: 505360
Attached patch Proposed fixSplinter Review
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #389595 - Flags: review?(gal)
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

This is probably exploitable on a wide range of product builds.
Attachment #389595 - Flags: review?(gal)
Attachment #389595 - Flags: review+
Attachment #389595 - Flags: approval1.9.1.2?
Attachment #389595 - Flags: approval1.9.0.12?
Priority: -- → P2
Whiteboard: [sg:critical?]
blocking1.9.1: --- → ?
Flags: blocking1.9.0.13?
Assignee: mrbkap → general
Component: General → JavaScript Engine
QA Contact: general → general
Flags: blocking1.9.2?
Assignee: general → mrbkap
Attachment #389595 - Flags: approval1.9.0.12? → approval1.9.0.13?
blocking1.9.1: ? → .2+
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

Approved for 1.9.1.2. a=ss for release-drivers
Attachment #389595 - Flags: approval1.9.1.2? → approval1.9.1.2+
Oh, and can we get a testcase attached to this bug before we lose the live one?
http://hg.mozilla.org/mozilla-central/rev/7038ffdb23cb
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Is this needed on the 1.8 branch?
Flags: wanted1.9.0.x+
Flags: blocking1.9.2?
Flags: blocking1.9.0.13?
Flags: blocking1.9.0.13+
Keywords: testcase
The reduced testcase does crash Firefox 2.0.0.20.
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.next?
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

Please remove the "hack me here" comment when you check in on branches. Hopefully people won't notice on trunk?

Approved for 1.9.0.13, a=dveditz for release-drivers
Attachment #389595 - Flags: approval1.9.0.13? → approval1.9.0.13+
Flags: blocking1.8.1.next? → blocking1.8.1.next+
Attachment #391019 - Flags: review?(gal)
Verified using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

3.5 crashes using test case in comment #8, but 3.5.2 it does not crash. Instead it brings up a printing dialog.
Keywords: verified1.9.1
Whiteboard: [sg:critical?] → [needs r=gal for 1.8 version][sg:critical?]
Attachment #391019 - Flags: review?(gal) → review+
Checking in js/src/jsstr.c;
/cvsroot/mozilla/js/src/jsstr.c,v  <--  jsstr.c
new revision: 3.209; previous revision: 3.208
done
Keywords: fixed1.9.0.14
Verified fixed for 1.9.0.14 using the originally reported site and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). It still crashes 1.9.0.13.
Whiteboard: [needs r=gal for 1.8 version][sg:critical?] → [needs 1.8 landing][sg:critical?]
Attachment #391019 - Flags: approval1.8.1.next?
Group: core-security
Comment on attachment 391019 [details] [diff] [review]
1.8 version

Approved for 1.8.1.24, a=dveditz for release-drivers
Attachment #391019 - Flags: approval1.8.1.next? → approval1.8.1.next+
(In reply to comment #18)
> (From update of attachment 391019 [details] [diff] [review])
> Approved for 1.8.1.24, a=dveditz for release-drivers

Checked in:
Checking in js/src/jsstr.c;
/cvsroot/mozilla/js/src/jsstr.c,v  <--  jsstr.c
new revision: 3.108.2.14; previous revision: 3.108.2.13
done
Keywords: fixed1.8.1.24
Verified for 1.8.1.24 using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24pre) Gecko/2010021903 Thunderbird/2.0.0.24pre ThunderBrowse/3.2.8.1 with Thunderbrowse and testcase in comment 8. 2.0.0.23 crashes on the testcase and 2.0.0.24pre brings up the print dialog and does not crash.
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.