The default bug view has changed. See this FAQ.
Bug 588929 (CVE-2010-3180)

Use after free - nsBarProp

RESOLVED FIXED

Status

()

Core
DOM
--
critical
RESOLVED FIXED
7 years ago
3 years ago

People

(Reporter: Sergey Glazunov, Assigned: smaug)

Tracking

Trunk
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(blocking2.0 final+, blocking1.9.2 .11+, status1.9.2 .11-fixed, blocking1.9.1 .14+, status1.9.1 .14-fixed)

Details

(Whiteboard: [sg:critical?])

Attachments

(4 attachments)

(Reporter)

Description

7 years ago
Reproduced on 4.0b5pre and 3.6.8.
The repro contains this:

  w = open(1, 1, 1);
  o = w.locationbar;
  w.close();
  
  s = '';
  setInterval('s += o.visible', 50);

http://crash-stats.mozilla.com/report/index/1b83dc24-cdb7-4435-838d-643822100819
(Reporter)

Comment 1

7 years ago
Created attachment 467523 [details]
testcase
(Assignee)

Updated

7 years ago
Assignee: nobody → Olli.Pettay

Comment 2

7 years ago
this signature shows up in the wild around 10-25 times a day as well.
mostly with people on http://www.hulu.com/watch and a few video sites.  I mostly see this on 3.6.x releases where active daily user are 1 million+


http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=nsBarProp%3A%3AGetVisibleByFlag&date=08%2F19%2F2010%2013%3A43%3A59&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsBarProp%3A%3AGetVisibleByFlag%28int*%2C%20unsigned%20int%29
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Whiteboard: [sg:critical]
(Assignee)

Comment 3

7 years ago
Just FYI, this is a "regression" from <tbogard@aol.net> 2000-02-08 05:38.
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
blocking2.0: ? → ---
(Assignee)

Updated

7 years ago
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
(Assignee)

Comment 4

7 years ago
Created attachment 467554 [details] [diff] [review]
patch

This is the simplest fix I could think of. And better to make those
nsBarProp methods not throw.
Attachment #467554 - Flags: superreview?(mrbkap)
Attachment #467554 - Flags: review?(jst)
(Assignee)

Comment 5

7 years ago
Other, not quite as simple would be to have a weak reference (not raw) to
DOMWindow, and get browserchrome from it.

Updated

7 years ago
Attachment #467554 - Flags: superreview?(mrbkap) → superreview+
Is this related to bug 575102?

Comment 7

7 years ago
If this gets reviewed and can land today it will make 3.6.9/3.5.12. If not, it will have to wait for the next release. Please ask for landing approval when/if it gets ready today. Thanks!

Updated

7 years ago
Attachment #467554 - Flags: review?(jst) → review+

Updated

7 years ago
blocking2.0: ? → final+

Updated

7 years ago
blocking1.9.1: ? → .13+
blocking1.9.2: ? → .10+
(Assignee)

Updated

7 years ago
Attachment #467554 - Flags: approval2.0?

Updated

7 years ago
Attachment #467554 - Flags: approval2.0?
Blocks: 575102
(Assignee)

Comment 8

7 years ago
http://hg.mozilla.org/mozilla-central/rev/7de93c31c0f2
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
(Assignee)

Comment 9

7 years ago
Created attachment 475069 [details] [diff] [review]
for 1.9.2
Attachment #475069 - Flags: approval1.9.2.10?
(Assignee)

Comment 10

7 years ago
Created attachment 475070 [details] [diff] [review]
for 1.9.1
Attachment #475070 - Flags: approval1.9.1.13?
Comment on attachment 475069 [details] [diff] [review]
for 1.9.2

Approved for 1.9.2.11, a=dveditz for release-drivers
Attachment #475069 - Flags: approval1.9.2.11? → approval1.9.2.11+
Comment on attachment 475070 [details] [diff] [review]
for 1.9.1

Approved for 1.9.1.14, a=dveditz for release-drivers
Attachment #475070 - Flags: approval1.9.1.14? → approval1.9.1.14+
(Assignee)

Comment 13

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/fad1fb5ed6c0
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/5f928f65382d
status1.9.1: wanted → .14-fixed
status1.9.2: wanted → .11-fixed
Alias: CVE-2010-3180
Whiteboard: [sg:critical] → [sg:critical?]
Group: core-security
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.