Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a




10 years ago
6 years ago


(Reporter: cbook, Assigned: mrbkap)


(5 keywords)

1.9.1 Branch
Windows XP
crash, testcase, verified1.8.1.24, verified1.9.0.14, verified1.9.1
Bug Flags:
blocking1.9.0.14 +
wanted1.9.0.x + +
wanted1.8.1.x +
in-testsuite +

Firefox Tracking Flags

(blocking1.9.1 .2+, status1.9.1 .2-fixed)


(Whiteboard: [needs 1.8 landing][sg:critical?], URL)


(3 attachments)



10 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20090716

Steps to reproduce:

-Load :
-> Crash

(eb4.ac0): Access violation - code c0000005 (!!! second chance !!!)
eax=04b4d0da ebx=7ffd4000 ecx=3f6fdc36 edx=00000002 esi=06f56000 edi=06f47208
eip=1023d53a esp=0012e240 ebp=0012e248 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
1023d53a f3a5            rep movs dword ptr es:[edi],dword ptr [esi] es:0023:06f47208=dddddddd ds:0023:06f56000=????????
0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitable;k;q'

Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a (Hash=0x6e021839.0x70393e49)

This is a read access violation in a block data move, and is therefore classified as probably exploitable.
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e248 005ad1a4 MSVCR80D!memcpy+0x5a
0012e28c 005ac540 js3250!do_replace+0x134
0012e310 005ac1a2 js3250!js_StringReplaceHelper+0x370
0012e334 0051aeba js3250!str_replace+0x82
0012ea64 0050709c js3250!js_Interpret+0x1179a
0012eb40 00507962 js3250!js_Invoke+0x95c
0012eb64 004b30ed js3250!js_InternalInvoke+0x82
0012eb8c 03016620 js3250!JS_CallFunctionValue+0x5d
0012ec3c 0307a2d9 gklayout!nsJSContext::CallEventHandler+0x2a0
0012eeb0 02ecee75 gklayout!nsJSEventListener::HandleEvent+0x10d9
0012ef9c 02ecf288 gklayout!nsEventListenerManager::HandleEventSubType+0x195
0012f010 02ed2ec0 gklayout!nsEventListenerManager::HandleEvent+0x398
0012f050 02ed3104 gklayout!nsEventTargetChainItem::HandleEvent+0x130
0012f08c 02ed381e gklayout!nsEventTargetChainItem::HandleEventTargetChain+0x194
0012f158 02bf0595 gklayout!nsEventDispatcher::Dispatch+0x51e
0012f1e0 03a1788c gklayout!DocumentViewerImpl::LoadComplete+0x1c5
0012f21c 039fa127 docshell!nsDocShell::EndPageLoad+0x8c
0012f5f0 03a1752a docshell!nsWebShell::EndPageLoad+0x127
0012f640 03a41149 docshell!nsDocShell::OnStateChange+0x2ea
0012f6ec 03a402eb docshell!nsDocLoader::FireOnStateChange+0x1f9
MSVCR80D ?  not MOZCRT19 ?  Why isn't this using Moz's CRT?

Comment 2

10 years ago
because jemalloc won't build on debug windows.
Duplicate of this bug: 505360
Created attachment 389595 [details] [diff] [review]
Proposed fix
Assignee: nobody → mrbkap
Attachment #389595 - Flags: review?(gal)

Comment 5

10 years ago
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

This is probably exploitable on a wide range of product builds.
Attachment #389595 - Flags: review?(gal)
Attachment #389595 - Flags: review+
Attachment #389595 - Flags: approval1.9.1.2?
Attachment #389595 - Flags: approval1.9.0.12?


10 years ago
Priority: -- → P2
Whiteboard: [sg:critical?]
blocking1.9.1: --- → ?
status1.9.1: --- → needstriage
Flags: blocking1.9.0.13?


10 years ago
Assignee: mrbkap → general
Component: General → JavaScript Engine
QA Contact: general → general


10 years ago
Flags: blocking1.9.2?
Assignee: general → mrbkap
Attachment #389595 - Flags: approval1.9.0.12? → approval1.9.0.13?
blocking1.9.1: ? → .2+
status1.9.1: ? → wanted
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

Approved for a=ss for release-drivers
Attachment #389595 - Flags: approval1.9.1.2? → approval1.9.1.2+
Oh, and can we get a testcase attached to this bug before we lose the live one?
Created attachment 390349 [details]
reduced testcase
Last Resolved: 10 years ago
Resolution: --- → FIXED
Is this needed on the 1.8 branch?
Flags: wanted1.9.0.x+
Flags: blocking1.9.2?
Flags: blocking1.9.0.13?
Flags: blocking1.9.0.13+
Keywords: testcase
The reduced testcase does crash Firefox
Flags: wanted1.8.1.x+
Comment on attachment 389595 [details] [diff] [review]
Proposed fix

Please remove the "hack me here" comment when you check in on branches. Hopefully people won't notice on trunk?

Approved for, a=dveditz for release-drivers
Attachment #389595 - Flags: approval1.9.0.13? → approval1.9.0.13+
Flags: →
Attachment #391019 - Flags: review?(gal)
Verified using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

3.5 crashes using test case in comment #8, but 3.5.2 it does not crash. Instead it brings up a printing dialog.
Keywords: verified1.9.1
Whiteboard: [sg:critical?] → [needs r=gal for 1.8 version][sg:critical?]


10 years ago
Attachment #391019 - Flags: review?(gal) → review+
Checking in js/src/jsstr.c;
/cvsroot/mozilla/js/src/jsstr.c,v  <--  jsstr.c
new revision: 3.209; previous revision: 3.208
Keywords: fixed1.9.0.14
Verified fixed for using the originally reported site and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). It still crashes
Keywords: fixed1.9.0.14 → verified1.9.0.14
Whiteboard: [needs r=gal for 1.8 version][sg:critical?] → [needs 1.8 landing][sg:critical?]
Attachment #391019 - Flags:
Group: core-security
Comment on attachment 391019 [details] [diff] [review]
1.8 version

Approved for, a=dveditz for release-drivers
Attachment #391019 - Flags: →
(In reply to comment #18)
> (From update of attachment 391019 [details] [diff] [review])
> Approved for, a=dveditz for release-drivers

Checked in:
Checking in js/src/jsstr.c;
/cvsroot/mozilla/js/src/jsstr.c,v  <--  jsstr.c
new revision:; previous revision:
Keywords: fixed1.8.1.24
Verified for using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2010021903 Thunderbird/ ThunderBrowse/ with Thunderbrowse and testcase in comment 8. crashes on the testcase and brings up the print dialog and does not crash.
Keywords: fixed1.8.1.24 → verified1.8.1.24
Automatically extracted testcase for this bug was committed:
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.