Bug 584512 (CVE-2010-2767)

nsPluginArray - memory corruption

RESOLVED FIXED

Status

()

Core
DOM
--
critical
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: Sergey Glazunov, Assigned: mrbkap)

Tracking

(4 keywords)

unspecified
crash, testcase, verified1.9.1, verified1.9.2
Points:
---

Firefox Tracking Flags

(blocking2.0 beta4+, status2.0 wanted, blocking1.9.2 .9+, status1.9.2 .9-fixed, blocking1.9.1 .12+, status1.9.1 .12-fixed)

Details

(Whiteboard: [sg:critical?])

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.14 Safari/534.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

Looks like it's a use-after-free issue.
I think the testcase is self-explaining although it's quite weak - it takes a lot of time to trigger the crash.

Reproducible: Always




http://crash-stats.mozilla.com/report/index/4b3b731c-511c-484c-a13f-ff27b2100804

Also crashes 4.0b2.
(Reporter)

Comment 1

7 years ago
Created attachment 462935 [details]
testcase
Status: UNCONFIRMED → NEW
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.1: --- → ?
status1.9.2: --- → ?
status2.0: --- → ?
Component: Security → DOM
Ever confirmed: true
OS: Windows 7 → All
Product: Firefox → Core
QA Contact: firefox → general
Hardware: x86 → All
Whiteboard: [sg:critical?]
Keywords: crash, testcase
status1.9.1: ? → wanted
status1.9.2: ? → wanted
status2.0: ? → wanted
mrbkap thinks he has a patch
Blocks: 544875
(Assignee)

Comment 3

7 years ago
Created attachment 462981 [details] [diff] [review]
Proposed fix

This should do it -- we need to ensure that we notify our weak references about stuff going away. I'll file a followup bug after this lands on getting rid of the manual refcounting.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #462981 - Flags: review?(jst)
Comment on attachment 462981 [details] [diff] [review]
Proposed fix

>+  if (mMimeTypeArray)
>+    mMimeTypeArray->Invalidate();

s/mMimeTypeArray/mMimeTypes/g
(Assignee)

Comment 5

7 years ago
Created attachment 463008 [details] [diff] [review]
Oops, yes
Attachment #462981 - Attachment is obsolete: true
Attachment #463008 - Flags: review?(jst)
Attachment #462981 - Flags: review?(jst)

Updated

7 years ago
Attachment #463008 - Flags: review?(jst) → review+
Let's get this into the branches.
blocking1.9.1: ? → .12+
blocking1.9.2: ? → .9+

Updated

7 years ago
blocking2.0: ? → beta4+
(Assignee)

Updated

7 years ago
Attachment #463008 - Flags: approval1.9.2.9?
Pushed to mozilla-central.

http://hg.mozilla.org/mozilla-central/rev/fe1b3c35fa9d
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 8

7 years ago
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

a=LegNeato for 1.9.2.9.
This needs to be landed as soon as possible. Does the same apply to 1.9.1?
Attachment #463008 - Flags: approval1.9.2.9? → approval1.9.2.9+
(Assignee)

Comment 9

7 years ago
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

Note: this patch applies cleanly after s|dom/base|dom/src/base|g
Attachment #463008 - Flags: approval1.9.1.12?

Comment 10

7 years ago
Comment on attachment 463008 [details] [diff] [review]
Oops, yes

a=LegNeato for 1.9.1.12
Attachment #463008 - Flags: approval1.9.1.12? → approval1.9.1.12+
(Assignee)

Comment 11

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/a962fcafdd3e
status1.9.2: wanted → .9-fixed
(Assignee)

Comment 12

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/addd2db5f27d
status1.9.1: wanted → .12-fixed
Verified with attached testcase in 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.12pre) Gecko/20100817 Shiretoko/3.5.12pre ( .NET CLR 3.5.30729) and in 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9pre) Gecko/20100817 Namoroka/3.6.9pre ( .NET CLR 3.5.30729).
Keywords: verified1.9.1, verified1.9.2
Alias: CVE-2010-2767
Group: core-security
You need to log in before you can comment on or make changes to this bug.