Last Comment Bug 574059 - (CVE-2010-2752) nsCSSValue::Array index integer overflow (can lead to remote code execution via CSS font-face) (ZDI-CAN-831)
(CVE-2010-2752)
: nsCSSValue::Array index integer overflow (can lead to remote code execution v...
Status: RESOLVED FIXED
[sg:critical?]
: verified1.9.1, verified1.9.2
Product: Core
Classification: Components
Component: CSS Parsing and Computation (show other bugs)
: unspecified
: All All
: P1 critical (vote)
: mozilla2.0b1
Assigned To: David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch)
:
Mentors:
Depends on:
Blocks: 574750
  Show dependency treegraph
 
Reported: 2010-06-23 11:28 PDT by Reed Loden [:reed] (use needinfo?)
Modified: 2010-08-10 12:09 PDT (History)
12 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
final+
.7-fixed
.11-fixed


Attachments
patch (5.23 KB, patch)
2010-06-23 12:21 PDT, David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch)
bzbarsky: review+
Details | Diff | Review
1.9.2 patch (4.02 KB, patch)
2010-06-24 16:27 PDT, David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch)
christian: approval1.9.2.7+
Details | Diff | Review
1.9.1 patch (3.94 KB, patch)
2010-06-24 16:28 PDT, David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch)
christian: approval1.9.1.11+
Details | Diff | Review

Description Reed Loden [:reed] (use needinfo?) 2010-06-23 11:28:27 PDT
Created attachment 453442 [details]
PoC generator (python-based)

ZDI-CAN-831: Mozilla Firefox CSS font-face Remote Code Execution Vulnerability

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following 
products:

    Mozilla Firefox 3.6.x

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Mozilla Firefox. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within handling of references to external font
resources. A value is used as a 16 bit integer in an array allocation
and later as 32 bit when iterating over and then populating these
fields. By creating enough references, a remote attacker can exploit
this vulnerability to execute arbitrary code under the context of the
browser.


Version(s)  tested: 
00400000 004e0000   firefox    (deferred)             
    Image path: C:\Program Files\Mozilla Firefox\firefox.exe
    Image name: firefox.exe
    Timestamp:        Thu Apr 01 10:38:42 2010 (4BB4BE02)
    CheckSum:         000EA924
    ImageSize:        000E0000
    File version:     1.9.2.3743
    Product version:  3.6.3.0


Platform(s) tested:
Windows XP SP3 x86

http://mxr.mozilla.org/mozilla1.9.2/source/layout/style/nsCSSParser.cpp#7893
// alloc:
7892   nsRefPtr<nsCSSValue::Array> srcVals
7893     = nsCSSValue::Array::Create(values.Length());
 
// overflow: 
7899   PRUint32 i;
7900   for (i = 0; i < values.Length(); i++)
7901     srcVals->Item(i) = values[i];
  

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * J23 (http://twitter.com/HansJ23)
Comment 1 Reed Loden [:reed] (use needinfo?) 2010-06-23 11:48:35 PDT
bp-ba8f7c42-2b7b-4389-8e5d-2cb772100623

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a6pre) Gecko/20100623 Minefield/3.7a6pre
Comment 2 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2010-06-23 12:01:06 PDT
We should probably just change nsCSSValue::Array to PRUint32.  It was originally intended for only fixed-size things, but now it's being used for three things of author-controlled size:  'src' and 'unicode-range' inside @font-face, and min()/max() inside -moz-calc().
Comment 3 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2010-06-23 12:21:55 PDT
Created attachment 453462 [details] [diff] [review]
patch

This switches to size_t, which I think is the right thing to use for things like this (and we should tend to switch).  It might be larger than PRUint32, but it shouldn't be smaller on any platforms we support, and I think a mismatch that way around is ok.
Comment 4 Boris Zbarsky [:bz] (Out June 25-July 6) 2010-06-23 12:34:47 PDT
Comment on attachment 453462 [details] [diff] [review]
patch

Why does size_t make sense for the refcount?
Comment 5 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2010-06-23 13:10:12 PDT
The size of the address space limits the number of objects that could own a reference to something.
Comment 6 Boris Zbarsky [:bz] (Out June 25-July 6) 2010-06-23 13:28:57 PDT
Comment on attachment 453462 [details] [diff] [review]
patch

OK, I buy that.  We should consider using size_t for refcounts in general, then, and use the macros here.  Separate bug?
Comment 7 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2010-06-24 14:55:26 PDT
http://hg.mozilla.org/mozilla-central/pushloghtml
Comment 8 Reed Loden [:reed] (use needinfo?) 2010-06-24 16:00:05 PDT
(In reply to comment #7)
> http://hg.mozilla.org/mozilla-central/pushloghtml

http://hg.mozilla.org/mozilla-central/rev/800ef4b6087f, actually.

Does this also affect 1.9.1?
Comment 9 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2010-06-24 16:27:43 PDT
Created attachment 453897 [details] [diff] [review]
1.9.2 patch

With one chunk (the calc()-related one) removed, since calc() isn't on 1.9.2, plus some trivial merging.
Comment 10 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2010-06-24 16:28:18 PDT
Created attachment 453898 [details] [diff] [review]
1.9.1 patch

Just the 1.9.2 patch with some trivial (i.e., context) merging.
Comment 11 christian 2010-06-24 18:02:59 PDT
a=LegNeato for 1.9.2.6 and 1.9.1.11. Please land this on mozilla-1.9.2 default and mozilla-1.9.1 default (*not* any relbranches).

The code freeze for both releases is this Friday (tomorrow) @ 11:59 PST.
Comment 12 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2010-06-24 18:24:02 PDT
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/0a8009ec6714
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/2c38a62daa0a
Comment 13 [On PTO until 6/29] 2010-07-16 15:38:42 PDT
Verified for 1.9.2.7 using PoC with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 (.NET CLR 3.5.30729). Verified crash with 1.9.2.6.

Verified for 1.9.1.11 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.11) Gecko/20100701 Firefox/3.5.11 (.NET CLR 3.5.30729) as well. Crashes in 1.9.1.10.

Note You need to log in before you can comment on or make changes to this bug.