Closed
Bug 505305
Opened 15 years ago
Closed 15 years ago
Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
FIXED
People
(Reporter: cbook, Assigned: mrbkap)
References
()
Details
(5 keywords, Whiteboard: [needs 1.8 landing][sg:critical?])
Attachments
(3 files)
|
920 bytes,
patch
|
gal
:
review+
samuel.sidler+old
:
approval1.9.1.2+
dveditz
:
approval1.9.0.14+
|
Details | Diff | Splinter Review |
|
64 bytes,
text/plain
|
Details | |
|
1.13 KB,
patch
|
gal
:
review+
dveditz
:
approval1.8.1.next+
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716
Shiretoko/3.5.1pre
Steps to reproduce:
-Load : http://www.donorschoose.org/donors/
search.html?page=9&keywords=music&max=50
-> Crash
(eb4.ac0): Access violation - code c0000005 (!!! second chance !!!)
eax=04b4d0da ebx=7ffd4000 ecx=3f6fdc36 edx=00000002 esi=06f56000 edi=06f47208
eip=1023d53a esp=0012e240 ebp=0012e248 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
-
MSVCR80D!memcpy+0x5a:
1023d53a f3a5 rep movs dword ptr es:[edi],dword ptr [esi] es:0023:06f47208=dddddddd ds:0023:06f56000=????????
0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitable;k;q'
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a (Hash=0x6e021839.0x70393e49)
This is a read access violation in a block data move, and is therefore classified as probably exploitable.
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e248 005ad1a4 MSVCR80D!memcpy+0x5a
0012e28c 005ac540 js3250!do_replace+0x134
0012e310 005ac1a2 js3250!js_StringReplaceHelper+0x370
0012e334 0051aeba js3250!str_replace+0x82
0012ea64 0050709c js3250!js_Interpret+0x1179a
0012eb40 00507962 js3250!js_Invoke+0x95c
0012eb64 004b30ed js3250!js_InternalInvoke+0x82
0012eb8c 03016620 js3250!JS_CallFunctionValue+0x5d
0012ec3c 0307a2d9 gklayout!nsJSContext::CallEventHandler+0x2a0
0012eeb0 02ecee75 gklayout!nsJSEventListener::HandleEvent+0x10d9
0012ef9c 02ecf288 gklayout!nsEventListenerManager::HandleEventSubType+0x195
0012f010 02ed2ec0 gklayout!nsEventListenerManager::HandleEvent+0x398
0012f050 02ed3104 gklayout!nsEventTargetChainItem::HandleEvent+0x130
0012f08c 02ed381e gklayout!nsEventTargetChainItem::HandleEventTargetChain+0x194
0012f158 02bf0595 gklayout!nsEventDispatcher::Dispatch+0x51e
0012f1e0 03a1788c gklayout!DocumentViewerImpl::LoadComplete+0x1c5
0012f21c 039fa127 docshell!nsDocShell::EndPageLoad+0x8c
0012f5f0 03a1752a docshell!nsWebShell::EndPageLoad+0x127
0012f640 03a41149 docshell!nsDocShell::OnStateChange+0x2ea
0012f6ec 03a402eb docshell!nsDocLoader::FireOnStateChange+0x1f9
quit:
|
||
Comment 1•15 years ago
|
||
MSVCR80D ? not MOZCRT19 ? Why isn't this using Moz's CRT?
|
||
Comment 2•15 years ago
|
||
because jemalloc won't build on debug windows.
|
Assignee | |
Comment 4•15 years ago
|
||
|
||
Comment 5•15 years ago
|
||
Comment on attachment 389595 [details] [diff] [review]
Proposed fix
This is probably exploitable on a wide range of product builds.
Attachment #389595 -
Flags: review?(gal)
Attachment #389595 -
Flags: review+
Attachment #389595 -
Flags: approval1.9.1.2?
Attachment #389595 -
Flags: approval1.9.0.12?
|
|
||
Updated•15 years ago
|
Priority: -- → P2
Whiteboard: [sg:critical?]
|
|
Assignee | |
Updated•15 years ago
|
|
Reporter | |
Updated•15 years ago
|
Assignee: mrbkap → general
Component: General → JavaScript Engine
QA Contact: general → general
|
|
Reporter | |
Updated•15 years ago
|
Flags: blocking1.9.2?
|
|
Assignee | |
Updated•15 years ago
|
Assignee: general → mrbkap
|
||
Updated•15 years ago
|
Attachment #389595 -
Flags: approval1.9.0.12? → approval1.9.0.13?
|
|
||
Updated•15 years ago
|
blocking1.9.1: ? → .2+
|
|
||
Comment 6•15 years ago
|
||
Comment on attachment 389595 [details] [diff] [review]
Proposed fix
Approved for 1.9.1.2. a=ss for release-drivers
Attachment #389595 -
Flags: approval1.9.1.2? → approval1.9.1.2+
|
|
||
Comment 7•15 years ago
|
||
Oh, and can we get a testcase attached to this bug before we lose the live one?
|
|
Assignee | |
Comment 8•15 years ago
|
||
|
|
Assignee | |
Comment 9•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Comment 10•15 years ago
|
||
Is this needed on the 1.8 branch?
Flags: wanted1.9.0.x+
Flags: blocking1.9.2?
Flags: blocking1.9.0.13?
Flags: blocking1.9.0.13+
Keywords: testcase
|
||
Comment 11•15 years ago
|
||
The reduced testcase does crash Firefox 2.0.0.20.
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.next?
|
|
||
Comment 12•15 years ago
|
||
Comment on attachment 389595 [details] [diff] [review]
Proposed fix
Please remove the "hack me here" comment when you check in on branches. Hopefully people won't notice on trunk?
Approved for 1.9.0.13, a=dveditz for release-drivers
Attachment #389595 -
Flags: approval1.9.0.13? → approval1.9.0.13+
|
|
Assignee | |
Comment 13•15 years ago
|
||
|
|
||
Updated•15 years ago
|
Flags: blocking1.8.1.next? → blocking1.8.1.next+
|
||
Comment 14•15 years ago
|
||
|
|
||
Updated•15 years ago
|
Attachment #391019 -
Flags: review?(gal)
|
||
Comment 15•15 years ago
|
||
Verified using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
3.5 crashes using test case in comment #8, but 3.5.2 it does not crash. Instead it brings up a printing dialog.
Keywords: verified1.9.1
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [needs r=gal for 1.8 version][sg:critical?]
|
|
||
Updated•15 years ago
|
Attachment #391019 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 16•15 years ago
|
||
Checking in js/src/jsstr.c;
/cvsroot/mozilla/js/src/jsstr.c,v <-- jsstr.c
new revision: 3.209; previous revision: 3.208
done
Keywords: fixed1.9.0.14
|
||
Comment 17•15 years ago
|
||
Verified fixed for 1.9.0.14 using the originally reported site and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). It still crashes 1.9.0.13.
Keywords: fixed1.9.0.14 → verified1.9.0.14
|
|
||
Updated•15 years ago
|
Whiteboard: [needs r=gal for 1.8 version][sg:critical?] → [needs 1.8 landing][sg:critical?]
|
|
||
Updated•15 years ago
|
Attachment #391019 -
Flags: approval1.8.1.next?
|
|
||
Updated•15 years ago
|
Group: core-security
|
|
||
Comment 18•15 years ago
|
||
Comment on attachment 391019 [details] [diff] [review]
1.8 version
Approved for 1.8.1.24, a=dveditz for release-drivers
Attachment #391019 -
Flags: approval1.8.1.next? → approval1.8.1.next+
|
||
Comment 19•15 years ago
|
||
(In reply to comment #18)
> (From update of attachment 391019 [details] [diff] [review])
> Approved for 1.8.1.24, a=dveditz for release-drivers
Checked in:
Checking in js/src/jsstr.c;
/cvsroot/mozilla/js/src/jsstr.c,v <-- jsstr.c
new revision: 3.108.2.14; previous revision: 3.108.2.13
done
Keywords: fixed1.8.1.24
|
|
||
Comment 20•15 years ago
|
||
Verified for 1.8.1.24 using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24pre) Gecko/2010021903 Thunderbird/2.0.0.24pre ThunderBrowse/3.2.8.1 with Thunderbrowse and testcase in comment 8. 2.0.0.23 crashes on the testcase and 2.0.0.24pre brings up the print dialog and does not crash.
Keywords: fixed1.8.1.24 → verified1.8.1.24
|
||
Comment 21•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•