Last Comment Bug 505305 - Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a
: Probably Exploitable - Read Access Violation on Block Data Move starting at M...
Status: RESOLVED FIXED
[needs 1.8 landing][sg:critical?]
: crash, testcase, verified1.8.1.24, verified1.9.0.14, verified1.9.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 1.9.1 Branch
: x86 Windows XP
: P2 critical (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
:
Mentors:
http://www.donorschoose.org/donors/ s...
: 505360 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-20 12:40 PDT by Carsten Book [:Tomcat]
Modified: 2013-02-07 05:15 PST (History)
16 users (show)
dveditz: blocking1.9.0.14+
dveditz: wanted1.9.0.x+
dveditz: blocking1.8.1.next+
brandon: wanted1.8.1.x+
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.2+
.2-fixed


Attachments
Proposed fix (920 bytes, patch)
2009-07-20 18:13 PDT, Blake Kaplan (:mrbkap)
gal: review+
samuel.sidler+old: approval1.9.1.2+
dveditz: approval1.9.0.14+
Details | Diff | Splinter Review
reduced testcase (64 bytes, text/plain)
2009-07-23 15:53 PDT, Blake Kaplan (:mrbkap)
no flags Details
1.8 version (1.13 KB, patch)
2009-07-28 00:20 PDT, Martin Stránský
gal: review+
dveditz: approval1.8.1.next+
Details | Diff | Splinter Review

Description Carsten Book [:Tomcat] 2009-07-20 12:40:42 PDT
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716
Shiretoko/3.5.1pre

Steps to reproduce:

-Load : http://www.donorschoose.org/donors/
search.html?page=9&keywords=music&max=50
-> Crash

(eb4.ac0): Access violation - code c0000005 (!!! second chance !!!)
eax=04b4d0da ebx=7ffd4000 ecx=3f6fdc36 edx=00000002 esi=06f56000 edi=06f47208
eip=1023d53a esp=0012e240 ebp=0012e248 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
-
MSVCR80D!memcpy+0x5a:
1023d53a f3a5            rep movs dword ptr es:[edi],dword ptr [esi] es:0023:06f47208=dddddddd ds:0023:06f56000=????????
0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitable;k;q'

Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a (Hash=0x6e021839.0x70393e49)

This is a read access violation in a block data move, and is therefore classified as probably exploitable.
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e248 005ad1a4 MSVCR80D!memcpy+0x5a
0012e28c 005ac540 js3250!do_replace+0x134
0012e310 005ac1a2 js3250!js_StringReplaceHelper+0x370
0012e334 0051aeba js3250!str_replace+0x82
0012ea64 0050709c js3250!js_Interpret+0x1179a
0012eb40 00507962 js3250!js_Invoke+0x95c
0012eb64 004b30ed js3250!js_InternalInvoke+0x82
0012eb8c 03016620 js3250!JS_CallFunctionValue+0x5d
0012ec3c 0307a2d9 gklayout!nsJSContext::CallEventHandler+0x2a0
0012eeb0 02ecee75 gklayout!nsJSEventListener::HandleEvent+0x10d9
0012ef9c 02ecf288 gklayout!nsEventListenerManager::HandleEventSubType+0x195
0012f010 02ed2ec0 gklayout!nsEventListenerManager::HandleEvent+0x398
0012f050 02ed3104 gklayout!nsEventTargetChainItem::HandleEvent+0x130
0012f08c 02ed381e gklayout!nsEventTargetChainItem::HandleEventTargetChain+0x194
0012f158 02bf0595 gklayout!nsEventDispatcher::Dispatch+0x51e
0012f1e0 03a1788c gklayout!DocumentViewerImpl::LoadComplete+0x1c5
0012f21c 039fa127 docshell!nsDocShell::EndPageLoad+0x8c
0012f5f0 03a1752a docshell!nsWebShell::EndPageLoad+0x127
0012f640 03a41149 docshell!nsDocShell::OnStateChange+0x2ea
0012f6ec 03a402eb docshell!nsDocLoader::FireOnStateChange+0x1f9
quit:
Comment 1 Nelson Bolyard (seldom reads bugmail) 2009-07-20 12:43:08 PDT
MSVCR80D ?  not MOZCRT19 ?  Why isn't this using Moz's CRT?
Comment 2 Bob Clary [:bc:] 2009-07-20 13:00:47 PDT
because jemalloc won't build on debug windows.
Comment 3 Blake Kaplan (:mrbkap) 2009-07-20 18:11:48 PDT
*** Bug 505360 has been marked as a duplicate of this bug. ***
Comment 4 Blake Kaplan (:mrbkap) 2009-07-20 18:13:34 PDT
Created attachment 389595 [details] [diff] [review]
Proposed fix
Comment 5 Andreas Gal :gal 2009-07-20 18:20:03 PDT
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

This is probably exploitable on a wide range of product builds.
Comment 6 Samuel Sidler (old account; do not CC) 2009-07-21 21:09:02 PDT
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

Approved for 1.9.1.2. a=ss for release-drivers
Comment 7 Samuel Sidler (old account; do not CC) 2009-07-21 21:09:32 PDT
Oh, and can we get a testcase attached to this bug before we lose the live one?
Comment 8 Blake Kaplan (:mrbkap) 2009-07-23 15:53:30 PDT
Created attachment 390349 [details]
reduced testcase
Comment 9 Blake Kaplan (:mrbkap) 2009-07-23 16:04:30 PDT
http://hg.mozilla.org/mozilla-central/rev/7038ffdb23cb
Comment 10 Daniel Veditz [:dveditz] 2009-07-24 15:39:15 PDT
Is this needed on the 1.8 branch?
Comment 11 Brandon Sterne (:bsterne) 2009-07-24 15:43:48 PDT
The reduced testcase does crash Firefox 2.0.0.20.
Comment 12 Daniel Veditz [:dveditz] 2009-07-24 15:50:38 PDT
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

Please remove the "hack me here" comment when you check in on branches. Hopefully people won't notice on trunk?

Approved for 1.9.0.13, a=dveditz for release-drivers
Comment 13 Blake Kaplan (:mrbkap) 2009-07-27 17:08:39 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/42dd0d5eb6ca
Comment 14 Martin Stránský 2009-07-28 00:20:42 PDT
Created attachment 391019 [details] [diff] [review]
1.8 version
Comment 15 juan becerra [:juanb] 2009-07-30 17:11:29 PDT
Verified using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

3.5 crashes using test case in comment #8, but 3.5.2 it does not crash. Instead it brings up a printing dialog.
Comment 16 Blake Kaplan (:mrbkap) 2009-08-10 17:54:26 PDT
Checking in js/src/jsstr.c;
/cvsroot/mozilla/js/src/jsstr.c,v  <--  jsstr.c
new revision: 3.209; previous revision: 3.208
done
Comment 17 Al Billings [:abillings] 2009-08-19 11:51:49 PDT
Verified fixed for 1.9.0.14 using the originally reported site and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). It still crashes 1.9.0.13.
Comment 18 Daniel Veditz [:dveditz] 2009-12-21 14:32:31 PST
Comment on attachment 391019 [details] [diff] [review]
1.8 version

Approved for 1.8.1.24, a=dveditz for release-drivers
Comment 19 Mark Banner (:standard8) 2010-02-05 03:04:36 PST
(In reply to comment #18)
> (From update of attachment 391019 [details] [diff] [review])
> Approved for 1.8.1.24, a=dveditz for release-drivers

Checked in:
Checking in js/src/jsstr.c;
/cvsroot/mozilla/js/src/jsstr.c,v  <--  jsstr.c
new revision: 3.108.2.14; previous revision: 3.108.2.13
done
Comment 20 Al Billings [:abillings] 2010-02-19 15:56:33 PST
Verified for 1.8.1.24 using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24pre) Gecko/2010021903 Thunderbird/2.0.0.24pre ThunderBrowse/3.2.8.1 with Thunderbrowse and testcase in comment 8. 2.0.0.23 crashes on the testcase and 2.0.0.24pre brings up the print dialog and does not crash.
Comment 21 Christian Holler (:decoder) 2013-02-07 05:15:58 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397

Note You need to log in before you can comment on or make changes to this bug.