Closed
Bug 679572
Opened 13 years ago
Closed 13 years ago
Use-after-free (nsFrameList::DestroyFrames) in Mozilla Products
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox7 | --- | unaffected |
firefox8 | --- | unaffected |
firefox9 | --- | unaffected |
status1.9.2 | --- | .24-fixed |
People
(Reporter: javg0x83, Assigned: MatsPalmgren_bugz)
Details
(4 keywords, Whiteboard: [sg:dos] frame-poisoning)
Attachments
(3 files)
583 bytes,
text/plain
|
Details | |
34.37 KB,
text/html
|
Details | |
4.54 KB,
patch
|
roc
:
review+
dveditz
:
approval1.9.2.24+
|
Details | Diff | Splinter Review |
----------------------------------------------------------------- Use-after-free (nsFrameList::DestroyFrames) in Mozilla Products ----------------------------------------------------------------- Affected products: Firefox and Thunderbird Vulnerable versions: 3.x Tested on: Firefox <= 3.6.20 and Thunderbird <= 3.1.12 OS: Windows XP SP3 (Spanish) ------------- DESCRIPTION ------------- A vulnerability where Firefox/Thunderbird uses memory not initialized could allow remote execution using a crafted web. Doing a bad nesting with especially li, ul, dd and a bad tag and also using some css properties, Firefox/Thunderbird got crashed in an exploitable way. ---------- ANALYSIS ---------- [*] Using Thunderbird client: (b8.6e4): Break instruction exception - code 80000003 (first chance) eax=7ffdf000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005 eip=7c91120e esp=03f5ffcc ebp=03f5fff4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 ntdll!DbgBreakPoint: 7c91120e cc int 3 0:019> g ModLoad: 72ca0000 72ca9000 C:\WINDOWS\system32\wdmaud.drv ModLoad: 76bf0000 76c1e000 C:\WINDOWS\system32\WINTRUST.dll ModLoad: 77a50000 77ae6000 C:\WINDOWS\system32\CRYPT32.dll ModLoad: 77af0000 77b02000 C:\WINDOWS\system32\MSASN1.dll ModLoad: 76c50000 76c78000 C:\WINDOWS\system32\IMAGEHLP.dll ModLoad: 72ca0000 72ca9000 C:\WINDOWS\system32\wdmaud.drv ModLoad: 72c90000 72c98000 C:\WINDOWS\system32\msacm32.drv ModLoad: 77bb0000 77bc5000 C:\WINDOWS\system32\MSACM32.dll ModLoad: 77ba0000 77ba7000 C:\WINDOWS\system32\midimap.dll (b8.df0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=f0de7fff ebx=00000018 ecx=074cb218 edx=00000000 esi=f0de7fff edi=0646f894 eip=006d8305 esp=0012c1d8 ebp=0012c214 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 thunderbird!nsFrameList::DestroyFrames+0xf: 006d8305 ff5008 call dword ptr [eax+8] ds:0023:f0de8007=???????? 0:000> !load winext/MSEC.dll 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0xfffffffff0de8007 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:006d8305 call dword ptr [eax+8] Exception Hash (Major/Minor): 0x3a440656.0x01787b2b Stack Trace: thunderbird!nsFrameList::DestroyFrames+0xf thunderbird!nsFrameList::Destroy+0x8 thunderbird!nsContainerFrame::Destroy+0x75 thunderbird!nsBlockFrame::Destroy+0x89 thunderbird!nsContainerFrame::DeleteNextInFlowChild+0xc0 thunderbird!nsContainerFrame::DeleteNextInFlowChild+0x82 thunderbird!nsContainerFrame::ReflowChild+0xc5 thunderbird!nsColumnSetFrame::ReflowChildren+0x252 thunderbird!nsColumnSetFrame::Reflow+0x1cc thunderbird!nsAbsoluteContainingBlock::ReflowAbsoluteFrame+0x115 thunderbird!nsAbsoluteContainingBlock::Reflow+0xa9 thunderbird!ViewportFrame::Reflow+0x129 thunderbird!PresShell::DoReflow+0x10e thunderbird!PresShell::ProcessReflowCommands+0x7a thunderbird!PresShell::FlushPendingNotifications+0x121 thunderbird!nsEditor::EndUpdateViewBatch+0x98 thunderbird!nsHTMLEditor::EndUpdateViewBatch+0xe thunderbird!nsEditor::EndPlaceHolderTransaction+0x4e thunderbird!nsAutoPlaceHolderBatch::~nsAutoPlaceHolderBatch+0x12 thunderbird!nsHTMLEditor::DoInsertHTMLWithContext+0x1c5 thunderbird!nsHTMLEditor::InsertHTMLWithContext+0x2b thunderbird!nsHTMLEditor::InsertHTML+0x1f xpcom_core!NS_InvokeByIndex_P+0x27 thunderbird!XPCWrappedNative::CallMethod+0xa65 thunderbird!XPC_WN_CallMethod+0xfa js3250!js_Invoke+0x48d js3250!js_Interpret+0x4567 js3250!js_Invoke+0x498 thunderbird!nsXPCWrappedJSClass::CallMethod+0xac6 thunderbird!nsXPCWrappedJS::CallMethod+0x27 xpcom_core!PrepareAndDispatch+0xe7 xpcom_core!SharedStub+0x16 thunderbird!nsEventListenerManager::HandleEventSubType+0x10e thunderbird!nsTArray<XPCJSContextInfo>::AssignRange<JSContext *>+0x24 thunderbird!nsXPConnect::Push+0x21 thunderbird!nsEventTargetChainItem::HandleEvent+0x60 thunderbird!nsEventTargetChainItem::HandleEventTargetChain+0xf1 thunderbird!nsEventDispatcher::Dispatch+0x2fa thunderbird!nsEventDispatcher::DispatchDOMEvent+0xbe thunderbird!PresShell::HandleDOMEventWithTarget+0x3d thunderbird!nsContentUtils::DispatchXULCommand+0x149 thunderbird!nsButtonBoxFrame::DoMouseClick+0x8f thunderbird!nsScrollbarButtonFrame::MouseClicked+0xb thunderbird!nsButtonBoxFrame::HandleEvent+0xc5 thunderbird!nsPresShellEventCB::HandleEvent+0x2d thunderbird!nsEventTargetChainItem::HandleEventTargetChain+0x1a7 thunderbird!nsEventDispatcher::Dispatch+0x2fa thunderbird!PresShell::HandleEventInternal+0x24e thunderbird!PresShell::HandleEventWithTarget+0x21 thunderbird!nsEventStateManager::CheckForAndDispatchClick+0x107 thunderbird!nsEventStateManager::PostHandleEvent+0x3dc thunderbird!PresShell::HandleEventInternal+0x2fb thunderbird!PresShell::HandlePositionedEvent+0xc3 thunderbird!PresShell::HandleEvent+0x575 thunderbird!nsViewManager::HandleEvent+0x2f thunderbird!nsViewManager::DispatchEvent+0x62f thunderbird!HandleEvent+0x36 thunderbird!nsWindow::DispatchEvent+0x2d thunderbird!nsWindow::DispatchWindowEvent+0x13 thunderbird!nsWindow::DispatchMouseEvent+0x41f thunderbird!ChildWindow::DispatchMouseEvent+0x5d thunderbird!nsWindow::ProcessMessage+0x948 thunderbird!nsWindow::WindowProc+0xbc USER32!InternalCallWinProc+0x28 Instruction Address: 0x00000000006d8305 Description: Read Access Violation on Control Flow Short Description: ReadAVonControlFlow Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Read Access Violation on Control Flow starting at thunderbird!nsFrameList::DestroyFrames+0x000000000000000f (Hash=0x3a440656.0x01787b2b) Access violations not near null in control flow instructions are considered exploitable. In mozilla/layout/generic/nsFrameList.cpp: void nsFrameList::Destroy() { DestroyFrames(); <-- (1) delete this; } void nsFrameList::DestroyFrames() { nsIFrame* next; for (nsIFrame* frame = mFirstChild; frame; frame = next) { next = frame->GetNextSibling(); frame->Destroy(); <-- (2) (CRASH) mFirstChild = next; } } [*] Using Firefox client: First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=f0de7fff ebx=01d2cc00 ecx=07189940 edx=00000000 esi=040f3b78 edi=040f3b78 eip=100c4652 esp=0012b824 ebp=01d6e0a0 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 xul!nsFrameList::DestroyFrames+0x12: 100c4652 8b5008 mov edx,dword ptr [eax+8] ds:0023:f0de8007=???????? 0:000> !load winext/MSEC.dll 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0xfffffffff0de8007 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:100c4652 mov edx,dword ptr [eax+8] Basic Block: 100c4652 mov edx,dword ptr [eax+8] Tainted Input Operands: eax 100c4655 mov esi,dword ptr [ecx+20h] 100c4658 call edx Tainted Input Operands: edx Exception Hash (Major/Minor): 0x29661f11.0x296b1410 Stack Trace: xul!nsFrameList::DestroyFrames+0x12 xul!nsFrameList::Destroy+0x8 xul!nsContainerFrame::Destroy+0x30a5ba xul!nsBlockFrame::DoRemoveFrame+0x372 xul!nsTArray<void *>::AppendElements<void *>+0x2b xul!do_QueryFrame::operator<nsBlockFrame> nsBlockFrame *+0xc xul!nsBlockFrame::DoRemoveFrame+0x33f xul!nsTArray<void *>::AppendElements<void *>+0x2b xul!RemoveBlockChild+0x31f653 xul!nsBlockFrame::DoRemoveFrame+0x33f xul!nsTArray<void *>::AppendElements<void *>+0x2b xul!RemoveBlockChild+0x31f653 xul!nsBlockFrame::DoRemoveFrame+0x33f xul!nsTArray<void *>::AppendElements<void *>+0x2b xul!RemoveBlockChild+0x31f653 xul!nsBlockFrame::DoRemoveFrame+0x33f xul!nsTArray<void *>::AppendElements<void *>+0x2b xul!RemoveBlockChild+0x31f653 xul!nsBlockFrame::DoRemoveFrame+0x33f xul!nsTArray<void *>::AppendElements<void *>+0x2b xul!nsBlockReflowContext::ReflowBlock+0x330d92 xul!nsBlockFrame::ReflowBlockFrame+0x43d xul!nsBlockFrame::ReflowLine+0x168 xul!nsBlockFrame::ReflowDirtyLines+0x21a xul!nsBlockFrame::Reflow+0x252 xul!nsBlockReflowContext::ReflowBlock+0xef xul!nsBlockFrame::ReflowBlockFrame+0x43d xul!nsBlockFrame::ReflowLine+0x168 xul!nsBlockFrame::ReflowDirtyLines+0x21a xul!nsBlockFrame::Reflow+0x252 xul!nsBlockReflowContext::ReflowBlock+0xef xul!nsBlockFrame::ReflowBlockFrame+0x43d xul!nsBlockFrame::ReflowLine+0x168 xul!nsBlockFrame::ReflowDirtyLines+0x21a xul!nsBlockFrame::Reflow+0x252 xul!nsBlockReflowContext::ReflowBlock+0xef xul!nsBlockFrame::ReflowBlockFrame+0x43d xul!nsBlockFrame::ReflowLine+0x168 xul!nsBlockFrame::ReflowDirtyLines+0x21a xul!nsBlockFrame::Reflow+0x252 xul!nsBlockReflowContext::ReflowBlock+0xef xul!nsBlockFrame::ReflowBlockFrame+0x43d xul!nsBlockFrame::ReflowLine+0x168 xul!nsBlockFrame::ReflowDirtyLines+0x21a xul!nsBlockFrame::Reflow+0x252 xul!nsBlockReflowContext::ReflowBlock+0xef xul!nsBlockFrame::ReflowBlockFrame+0x43d xul!nsBlockFrame::ReflowLine+0x168 xul!nsBlockFrame::ReflowDirtyLines+0x21a xul!nsBlockFrame::Reflow+0x252 xul!nsBlockReflowContext::ReflowBlock+0xef xul!nsBlockFrame::ReflowBlockFrame+0x43d xul!nsBlockFrame::ReflowLine+0x168 xul!nsBlockFrame::ReflowDirtyLines+0x21a xul!nsBlockFrame::Reflow+0x252 xul!nsBlockReflowContext::ReflowBlock+0xef xul!nsBlockFrame::ReflowBlockFrame+0x43d xul!nsBlockFrame::ReflowLine+0x168 xul!nsBlockFrame::ReflowDirtyLines+0x21a xul!nsBlockFrame::Reflow+0x252 xul!nsBlockReflowContext::ReflowBlock+0xef xul!nsBlockFrame::ReflowBlockFrame+0x43d xul!nsBlockFrame::ReflowLine+0x168 xul!nsBlockFrame::ReflowDirtyLines+0x21a Instruction Address: 0x00000000100c4652 Description: Data from Faulting Address controls Code Flow Short Description: TaintedDataControlsCodeFlow Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at xul!nsFrameList::DestroyFrames+0x0000000000000012 (Hash=0x29661f11.0x296b1410) The data from the faulting address is later used as the target for a branch. void nsFrameList::DestroyFrames() { nsIFrame* next; for (nsIFrame* frame = mFirstChild; frame; frame = next) { next = frame->GetNextSibling(); frame->Destroy(); <-- (Crash) mFirstChild = next; } } ------ Repro ------ Open PoC attached using: a) Thunderbird (as attached mail or composing a message with HTML code). b) Firefox (Remotely or locally). Thuderbird/Firefox got crashed automatically. --------- Credits --------- Jose A. Vazquez of http://spa-s3c.blogspot.com
Reporter | ||
Comment 1•13 years ago
|
||
Should I create another submission to include Thunderbird? Or you can change the affected products to both (firefox & thunderbird)? cheers, Jose.
Comment 2•13 years ago
|
||
A single bug will suffice for both since this is an engine bug. The addresses look like it's hit our "frame-poisoning" mitigation which would make that an unmapped and unexploitable address but that's off the top of my head and needs investigation.
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Version: 3.6 Branch → 1.9.2 Branch
Comment 3•13 years ago
|
||
Jose, any chance you could test this in Firefox 6 or even newer? Thanks!
Reporter | ||
Comment 4•13 years ago
|
||
yep, tested in Firefox 6 and Thunderbird 6 and it's not vulnerable. Btw, I also tested in Firefox 4 and 5 and not crashes. Just affecting to firefox 3.6.x, I couldn't confirm in 3.x or 3.5.x.
Reporter | ||
Comment 5•13 years ago
|
||
Status has not changed for a long time. Will fix them?
Assignee | ||
Comment 6•13 years ago
|
||
I can reproduce this with a 1.9.2 DEBUG build on WinXP. Before the crash there is this assertion: ###!!! ASSERTION: frame not in line: 'line->Contains(aDeletedFrame)', file layout/generic/nsBlockFrame.cpp, line 5515 Here's the stack for that assertion, aDeletedFrame is 0739FF98 and it has the NS_FRAME_IS_OVERFLOW_CONTAINER bit set and is on the ExcessOverflowContainers-list frame list. I suspect that what we want to do is take the path for NS_FRAME_IS_OVERFLOW_CONTAINER frames at the start of nsBlockFrame::DoRemoveFrame but since this is a next-in-flow we didn't reach that block... http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout%2Fgeneric%2FnsBlockFrame.cpp#5285 On trunk we explicitly handle this case in the loop: http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsBlockFrame.cpp#5434 (fixed in bug 564968)
Assignee | ||
Comment 7•13 years ago
|
||
Assignee: nobody → matspal
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #561360 -
Flags: review?(roc)
Comment on attachment 561360 [details] [diff] [review] fix + tests Review of attachment 561360 [details] [diff] [review]: ----------------------------------------------------------------- ::: layout/generic/nsBlockFrame.cpp @@ +5563,5 @@ > #endif > > + // If next-in-flow is an overflow container, must remove it first. > + if (deletedNextContinuation && > + deletedNextContinuation->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER) { () around the & expression
Attachment #561360 -
Flags: review?(roc) → review+
Assignee | ||
Updated•13 years ago
|
Attachment #561360 -
Flags: approval1.9.2.23?
Updated•13 years ago
|
Comment 9•13 years ago
|
||
Comment on attachment 561360 [details] [diff] [review] fix + tests Approved for 1.9.2.24, a=dveditz for release-drivers
Attachment #561360 -
Flags: approval1.9.2.23? → approval1.9.2.24+
Assignee | ||
Comment 10•13 years ago
|
||
https://hg.mozilla.org/releases/mozilla-1.9.2/rev/4498af260a06
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Comment 11•13 years ago
|
||
Verified crash on 1.9.23 on XP with PoC. Verified fix for 1.9.2 in nightly 1.9.24pre build (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24pre) Gecko/20111029 Namoroka/3.6.24pre (.NET CLR 3.5.30729)).
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Updated•13 years ago
|
status-firefox7:
--- → unaffected
status-firefox8:
--- → unaffected
status-firefox9:
--- → unaffected
Comment 12•13 years ago
|
||
Does this issue have a CVE id?
Assignee | ||
Comment 13•13 years ago
|
||
(In reply to Huzaifa Sidhpurwala from comment #12) > Does this issue have a CVE id? Not that I know of, Daniel?
Reporter | ||
Comment 14•13 years ago
|
||
What's the exact date of releasing? I think that it's today, but the hour and timezone?
Updated•13 years ago
|
Group: core-security
Reporter | ||
Comment 15•13 years ago
|
||
without advisory...why? http://www.mozilla.org/security/known-vulnerabilities/firefox36.html I guess for comment #2 but if it's not a security bug, why do you have kept it private? Please, someone could give a clarification.
Updated•7 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•