The default bug view has changed. See this FAQ.

Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a

RESOLVED FIXED

Status

()

Core
JavaScript Engine
P2
critical
RESOLVED FIXED
8 years ago
4 years ago

People

(Reporter: Tomcat, Assigned: mrbkap)

Tracking

(5 keywords)

1.9.1 Branch
x86
Windows XP
crash, testcase, verified1.8.1.24, verified1.9.0.14, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.0.14 +
wanted1.9.0.x +
blocking1.8.1.next +
wanted1.8.1.x +
in-testsuite +

Firefox Tracking Flags

(blocking1.9.1 .2+, status1.9.1 .2-fixed)

Details

(Whiteboard: [needs 1.8 landing][sg:critical?], URL)

Attachments

(3 attachments)

(Reporter)

Description

8 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716
Shiretoko/3.5.1pre

Steps to reproduce:

-Load : http://www.donorschoose.org/donors/
search.html?page=9&keywords=music&max=50
-> Crash

(eb4.ac0): Access violation - code c0000005 (!!! second chance !!!)
eax=04b4d0da ebx=7ffd4000 ecx=3f6fdc36 edx=00000002 esi=06f56000 edi=06f47208
eip=1023d53a esp=0012e240 ebp=0012e248 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
-
MSVCR80D!memcpy+0x5a:
1023d53a f3a5            rep movs dword ptr es:[edi],dword ptr [esi] es:0023:06f47208=dddddddd ds:0023:06f56000=????????
0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitable;k;q'

Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a (Hash=0x6e021839.0x70393e49)

This is a read access violation in a block data move, and is therefore classified as probably exploitable.
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e248 005ad1a4 MSVCR80D!memcpy+0x5a
0012e28c 005ac540 js3250!do_replace+0x134
0012e310 005ac1a2 js3250!js_StringReplaceHelper+0x370
0012e334 0051aeba js3250!str_replace+0x82
0012ea64 0050709c js3250!js_Interpret+0x1179a
0012eb40 00507962 js3250!js_Invoke+0x95c
0012eb64 004b30ed js3250!js_InternalInvoke+0x82
0012eb8c 03016620 js3250!JS_CallFunctionValue+0x5d
0012ec3c 0307a2d9 gklayout!nsJSContext::CallEventHandler+0x2a0
0012eeb0 02ecee75 gklayout!nsJSEventListener::HandleEvent+0x10d9
0012ef9c 02ecf288 gklayout!nsEventListenerManager::HandleEventSubType+0x195
0012f010 02ed2ec0 gklayout!nsEventListenerManager::HandleEvent+0x398
0012f050 02ed3104 gklayout!nsEventTargetChainItem::HandleEvent+0x130
0012f08c 02ed381e gklayout!nsEventTargetChainItem::HandleEventTargetChain+0x194
0012f158 02bf0595 gklayout!nsEventDispatcher::Dispatch+0x51e
0012f1e0 03a1788c gklayout!DocumentViewerImpl::LoadComplete+0x1c5
0012f21c 039fa127 docshell!nsDocShell::EndPageLoad+0x8c
0012f5f0 03a1752a docshell!nsWebShell::EndPageLoad+0x127
0012f640 03a41149 docshell!nsDocShell::OnStateChange+0x2ea
0012f6ec 03a402eb docshell!nsDocLoader::FireOnStateChange+0x1f9
quit:
MSVCR80D ?  not MOZCRT19 ?  Why isn't this using Moz's CRT?

Comment 2

8 years ago
because jemalloc won't build on debug windows.
(Assignee)

Updated

8 years ago
Duplicate of this bug: 505360
(Assignee)

Comment 4

8 years ago
Created attachment 389595 [details] [diff] [review]
Proposed fix
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #389595 - Flags: review?(gal)

Comment 5

8 years ago
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

This is probably exploitable on a wide range of product builds.
Attachment #389595 - Flags: review?(gal)
Attachment #389595 - Flags: review+
Attachment #389595 - Flags: approval1.9.1.2?
Attachment #389595 - Flags: approval1.9.0.12?

Updated

8 years ago
Priority: -- → P2
Whiteboard: [sg:critical?]
(Assignee)

Updated

8 years ago
blocking1.9.1: --- → ?
status1.9.1: --- → needstriage
Flags: blocking1.9.0.13?
(Reporter)

Updated

8 years ago
Assignee: mrbkap → general
Component: General → JavaScript Engine
QA Contact: general → general
(Reporter)

Updated

8 years ago
Flags: blocking1.9.2?
(Assignee)

Updated

8 years ago
Assignee: general → mrbkap
Attachment #389595 - Flags: approval1.9.0.12? → approval1.9.0.13?
blocking1.9.1: ? → .2+
status1.9.1: ? → wanted
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

Approved for 1.9.1.2. a=ss for release-drivers
Attachment #389595 - Flags: approval1.9.1.2? → approval1.9.1.2+
Oh, and can we get a testcase attached to this bug before we lose the live one?
(Assignee)

Comment 8

8 years ago
Created attachment 390349 [details]
reduced testcase
(Assignee)

Comment 9

8 years ago
http://hg.mozilla.org/mozilla-central/rev/7038ffdb23cb
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Is this needed on the 1.8 branch?
Flags: wanted1.9.0.x+
Flags: blocking1.9.2?
Flags: blocking1.9.0.13?
Flags: blocking1.9.0.13+
Keywords: testcase
The reduced testcase does crash Firefox 2.0.0.20.
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.next?
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

Please remove the "hack me here" comment when you check in on branches. Hopefully people won't notice on trunk?

Approved for 1.9.0.13, a=dveditz for release-drivers
Attachment #389595 - Flags: approval1.9.0.13? → approval1.9.0.13+
(Assignee)

Comment 13

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/42dd0d5eb6ca
status1.9.1: wanted → .2-fixed
Flags: blocking1.8.1.next? → blocking1.8.1.next+

Comment 14

8 years ago
Created attachment 391019 [details] [diff] [review]
1.8 version

Updated

8 years ago
Attachment #391019 - Flags: review?(gal)
Verified using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

3.5 crashes using test case in comment #8, but 3.5.2 it does not crash. Instead it brings up a printing dialog.
Keywords: verified1.9.1
Whiteboard: [sg:critical?] → [needs r=gal for 1.8 version][sg:critical?]

Updated

8 years ago
Attachment #391019 - Flags: review?(gal) → review+
(Assignee)

Comment 16

8 years ago
Checking in js/src/jsstr.c;
/cvsroot/mozilla/js/src/jsstr.c,v  <--  jsstr.c
new revision: 3.209; previous revision: 3.208
done
Keywords: fixed1.9.0.14
Verified fixed for 1.9.0.14 using the originally reported site and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). It still crashes 1.9.0.13.
Keywords: fixed1.9.0.14 → verified1.9.0.14
Whiteboard: [needs r=gal for 1.8 version][sg:critical?] → [needs 1.8 landing][sg:critical?]
Attachment #391019 - Flags: approval1.8.1.next?
Group: core-security
Comment on attachment 391019 [details] [diff] [review]
1.8 version

Approved for 1.8.1.24, a=dveditz for release-drivers
Attachment #391019 - Flags: approval1.8.1.next? → approval1.8.1.next+
(In reply to comment #18)
> (From update of attachment 391019 [details] [diff] [review])
> Approved for 1.8.1.24, a=dveditz for release-drivers

Checked in:
Checking in js/src/jsstr.c;
/cvsroot/mozilla/js/src/jsstr.c,v  <--  jsstr.c
new revision: 3.108.2.14; previous revision: 3.108.2.13
done
Keywords: fixed1.8.1.24
Verified for 1.8.1.24 using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24pre) Gecko/2010021903 Thunderbird/2.0.0.24pre ThunderBrowse/3.2.8.1 with Thunderbrowse and testcase in comment 8. 2.0.0.23 crashes on the testcase and 2.0.0.24pre brings up the print dialog and does not crash.
Keywords: fixed1.8.1.24 → verified1.8.1.24
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.