Closed Bug 679572 Opened 13 years ago Closed 13 years ago

Use-after-free (nsFrameList::DestroyFrames) in Mozilla Products

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.9.2 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox7 --- unaffected
firefox8 --- unaffected
firefox9 --- unaffected
status1.9.2 --- .24-fixed

People

(Reporter: javg0x83, Assigned: MatsPalmgren_bugz)

Details

(4 keywords, Whiteboard: [sg:dos] frame-poisoning)

Attachments

(3 files)

Proof Of Concept
583 bytes, text/plain
Details
frame tree + stack for the assertion
34.37 KB, text/html
Details
fix + tests
4.54 KB, patch
roc
: review+
dveditz
: approval1.9.2.24+
Details | Diff | Splinter Review
Attached file Proof Of Concept 
-----------------------------------------------------------------
Use-after-free (nsFrameList::DestroyFrames) in Mozilla Products
-----------------------------------------------------------------


Affected products: Firefox and Thunderbird
Vulnerable versions: 3.x
Tested on: Firefox <= 3.6.20 and Thunderbird <= 3.1.12
OS: Windows XP SP3 (Spanish)


-------------
DESCRIPTION
-------------


A vulnerability where Firefox/Thunderbird uses memory not initialized could allow remote execution using a crafted web.
Doing a bad nesting with especially li, ul, dd and a bad tag and also using some css properties, Firefox/Thunderbird got 
crashed in an exploitable way.


----------
ANALYSIS
----------


[*] Using Thunderbird client:



(b8.6e4): Break instruction exception - code 80000003 (first chance)
eax=7ffdf000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c91120e esp=03f5ffcc ebp=03f5fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c91120e cc              int     3
0:019> g
ModLoad: 72ca0000 72ca9000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 76bf0000 76c1e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 77a50000 77ae6000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77af0000 77b02000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 76c50000 76c78000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 72ca0000 72ca9000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 72c90000 72c98000   C:\WINDOWS\system32\msacm32.drv
ModLoad: 77bb0000 77bc5000   C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77ba0000 77ba7000   C:\WINDOWS\system32\midimap.dll
(b8.df0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=f0de7fff ebx=00000018 ecx=074cb218 edx=00000000 esi=f0de7fff edi=0646f894
eip=006d8305 esp=0012c1d8 ebp=0012c214 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
thunderbird!nsFrameList::DestroyFrames+0xf:
006d8305 ff5008          call    dword ptr [eax+8]    ds:0023:f0de8007=????????
0:000> !load winext/MSEC.dll
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xfffffffff0de8007
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:006d8305 call dword ptr [eax+8]

Exception Hash (Major/Minor): 0x3a440656.0x01787b2b

Stack Trace:
thunderbird!nsFrameList::DestroyFrames+0xf
thunderbird!nsFrameList::Destroy+0x8
thunderbird!nsContainerFrame::Destroy+0x75
thunderbird!nsBlockFrame::Destroy+0x89
thunderbird!nsContainerFrame::DeleteNextInFlowChild+0xc0
thunderbird!nsContainerFrame::DeleteNextInFlowChild+0x82
thunderbird!nsContainerFrame::ReflowChild+0xc5
thunderbird!nsColumnSetFrame::ReflowChildren+0x252
thunderbird!nsColumnSetFrame::Reflow+0x1cc
thunderbird!nsAbsoluteContainingBlock::ReflowAbsoluteFrame+0x115
thunderbird!nsAbsoluteContainingBlock::Reflow+0xa9
thunderbird!ViewportFrame::Reflow+0x129
thunderbird!PresShell::DoReflow+0x10e
thunderbird!PresShell::ProcessReflowCommands+0x7a
thunderbird!PresShell::FlushPendingNotifications+0x121
thunderbird!nsEditor::EndUpdateViewBatch+0x98
thunderbird!nsHTMLEditor::EndUpdateViewBatch+0xe
thunderbird!nsEditor::EndPlaceHolderTransaction+0x4e
thunderbird!nsAutoPlaceHolderBatch::~nsAutoPlaceHolderBatch+0x12
thunderbird!nsHTMLEditor::DoInsertHTMLWithContext+0x1c5
thunderbird!nsHTMLEditor::InsertHTMLWithContext+0x2b
thunderbird!nsHTMLEditor::InsertHTML+0x1f
xpcom_core!NS_InvokeByIndex_P+0x27
thunderbird!XPCWrappedNative::CallMethod+0xa65
thunderbird!XPC_WN_CallMethod+0xfa
js3250!js_Invoke+0x48d
js3250!js_Interpret+0x4567
js3250!js_Invoke+0x498
thunderbird!nsXPCWrappedJSClass::CallMethod+0xac6
thunderbird!nsXPCWrappedJS::CallMethod+0x27
xpcom_core!PrepareAndDispatch+0xe7
xpcom_core!SharedStub+0x16
thunderbird!nsEventListenerManager::HandleEventSubType+0x10e
thunderbird!nsTArray<XPCJSContextInfo>::AssignRange<JSContext *>+0x24
thunderbird!nsXPConnect::Push+0x21
thunderbird!nsEventTargetChainItem::HandleEvent+0x60
thunderbird!nsEventTargetChainItem::HandleEventTargetChain+0xf1
thunderbird!nsEventDispatcher::Dispatch+0x2fa
thunderbird!nsEventDispatcher::DispatchDOMEvent+0xbe
thunderbird!PresShell::HandleDOMEventWithTarget+0x3d
thunderbird!nsContentUtils::DispatchXULCommand+0x149
thunderbird!nsButtonBoxFrame::DoMouseClick+0x8f
thunderbird!nsScrollbarButtonFrame::MouseClicked+0xb
thunderbird!nsButtonBoxFrame::HandleEvent+0xc5
thunderbird!nsPresShellEventCB::HandleEvent+0x2d
thunderbird!nsEventTargetChainItem::HandleEventTargetChain+0x1a7
thunderbird!nsEventDispatcher::Dispatch+0x2fa
thunderbird!PresShell::HandleEventInternal+0x24e
thunderbird!PresShell::HandleEventWithTarget+0x21
thunderbird!nsEventStateManager::CheckForAndDispatchClick+0x107
thunderbird!nsEventStateManager::PostHandleEvent+0x3dc
thunderbird!PresShell::HandleEventInternal+0x2fb
thunderbird!PresShell::HandlePositionedEvent+0xc3
thunderbird!PresShell::HandleEvent+0x575
thunderbird!nsViewManager::HandleEvent+0x2f
thunderbird!nsViewManager::DispatchEvent+0x62f
thunderbird!HandleEvent+0x36
thunderbird!nsWindow::DispatchEvent+0x2d
thunderbird!nsWindow::DispatchWindowEvent+0x13
thunderbird!nsWindow::DispatchMouseEvent+0x41f
thunderbird!ChildWindow::DispatchMouseEvent+0x5d
thunderbird!nsWindow::ProcessMessage+0x948
thunderbird!nsWindow::WindowProc+0xbc
USER32!InternalCallWinProc+0x28
Instruction Address: 0x00000000006d8305

Description: Read Access Violation on Control Flow
Short Description: ReadAVonControlFlow
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation on Control Flow starting at thunderbird!nsFrameList::DestroyFrames+0x000000000000000f (Hash=0x3a440656.0x01787b2b)

Access violations not near null in control flow instructions are considered exploitable.




In mozilla/layout/generic/nsFrameList.cpp:


void
nsFrameList::Destroy()
{
  DestroyFrames(); <-- (1)
  delete this;
}

void
nsFrameList::DestroyFrames()
{
  nsIFrame* next;
  for (nsIFrame* frame = mFirstChild; frame; frame = next) {
    next = frame->GetNextSibling();
    frame->Destroy(); <-- (2) (CRASH)
    mFirstChild = next;
  }
}



[*] Using Firefox client:



First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=f0de7fff ebx=01d2cc00 ecx=07189940 edx=00000000 esi=040f3b78 edi=040f3b78
eip=100c4652 esp=0012b824 ebp=01d6e0a0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
xul!nsFrameList::DestroyFrames+0x12:
100c4652 8b5008          mov     edx,dword ptr [eax+8] ds:0023:f0de8007=????????
0:000> !load winext/MSEC.dll
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xfffffffff0de8007
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:100c4652 mov edx,dword ptr [eax+8]

Basic Block:
    100c4652 mov edx,dword ptr [eax+8]
       Tainted Input Operands: eax
    100c4655 mov esi,dword ptr [ecx+20h]
    100c4658 call edx
       Tainted Input Operands: edx

Exception Hash (Major/Minor): 0x29661f11.0x296b1410

Stack Trace:
xul!nsFrameList::DestroyFrames+0x12
xul!nsFrameList::Destroy+0x8
xul!nsContainerFrame::Destroy+0x30a5ba
xul!nsBlockFrame::DoRemoveFrame+0x372
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!do_QueryFrame::operator<nsBlockFrame> nsBlockFrame *+0xc
xul!nsBlockFrame::DoRemoveFrame+0x33f
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!RemoveBlockChild+0x31f653
xul!nsBlockFrame::DoRemoveFrame+0x33f
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!RemoveBlockChild+0x31f653
xul!nsBlockFrame::DoRemoveFrame+0x33f
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!RemoveBlockChild+0x31f653
xul!nsBlockFrame::DoRemoveFrame+0x33f
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!RemoveBlockChild+0x31f653
xul!nsBlockFrame::DoRemoveFrame+0x33f
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!nsBlockReflowContext::ReflowBlock+0x330d92
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
Instruction Address: 0x00000000100c4652

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at xul!nsFrameList::DestroyFrames+0x0000000000000012 (Hash=0x29661f11.0x296b1410)

The data from the faulting address is later used as the target for a branch.



void
nsFrameList::DestroyFrames()
{
  nsIFrame* next;
  for (nsIFrame* frame = mFirstChild; frame; frame = next) {
    next = frame->GetNextSibling();
    frame->Destroy();  <-- (Crash)
    mFirstChild = next;
  }
}



------
Repro
------


Open PoC attached using:

a) Thunderbird (as attached mail or composing a message with HTML code).
b) Firefox (Remotely or locally).

Thuderbird/Firefox got crashed automatically.


---------
Credits
---------

Jose A. Vazquez of http://spa-s3c.blogspot.com
Should I create another submission to include Thunderbird? Or you can change the affected products to both (firefox & thunderbird)?

cheers,
Jose.
A single bug will suffice for both since this is an engine bug. The addresses look like it's hit our "frame-poisoning" mitigation which would make that an unmapped and unexploitable address but that's off the top of my head and needs investigation.
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Version: 3.6 Branch → 1.9.2 Branch
Jose, any chance you could test this in Firefox 6 or even newer? Thanks!
yep, tested in Firefox 6 and Thunderbird 6 and it's not vulnerable.
Btw, I also tested in Firefox 4 and 5 and not crashes.

Just affecting to firefox 3.6.x, I couldn't confirm in 3.x or 3.5.x.
Status has not changed for a long time. Will fix them?
I can reproduce this with a 1.9.2 DEBUG build on WinXP.

Before the crash there is this assertion:
###!!! ASSERTION: frame not in line: 'line->Contains(aDeletedFrame)', file layout/generic/nsBlockFrame.cpp, line 5515

Here's the stack for that assertion, aDeletedFrame is 0739FF98
and it has the NS_FRAME_IS_OVERFLOW_CONTAINER bit set and is on
the ExcessOverflowContainers-list frame list.

I suspect that what we want to do is take the path for
NS_FRAME_IS_OVERFLOW_CONTAINER frames at the start of nsBlockFrame::DoRemoveFrame but since this is a next-in-flow we didn't reach that block...
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout%2Fgeneric%2FnsBlockFrame.cpp#5285

On trunk we explicitly handle this case in the loop:
http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsBlockFrame.cpp#5434
(fixed in bug 564968)
Attached patch fix + testsSplinter Review 
Assignee: nobody → matspal
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

        Attachment #561360 -
        Flags: review?(roc)

    
    

    
  
Comment on attachment 561360 [details] [diff] [review]
fix + tests

Review of attachment 561360 [details] [diff] [review]:
-----------------------------------------------------------------

::: layout/generic/nsBlockFrame.cpp
@@ +5563,5 @@
>  #endif
>  
> +    // If next-in-flow is an overflow container, must remove it first.
> +    if (deletedNextContinuation &&
> +        deletedNextContinuation->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER) {

() around the & expression

        Attachment #561360 -
        Flags: review?(roc) → review+

    
  

        Attachment #561360 -
        Flags: approval1.9.2.23?

          status1.9.2:
          --- → wanted
Keywords: crash, 
          
            testcase
Whiteboard: [sg:dos] frame-poisoning

    
    

    
  
Comment on attachment 561360 [details] [diff] [review]
fix + tests

Approved for 1.9.2.24, a=dveditz for release-drivers

        Attachment #561360 -
        Flags: approval1.9.2.23? → approval1.9.2.24+

    
    

    
  
https://hg.mozilla.org/releases/mozilla-1.9.2/rev/4498af260a06
Status: ASSIGNED → RESOLVED
Closed: 13 years ago

          status1.9.2:
          wanted.24-fixed
Flags: in-testsuite+
Resolution: --- → FIXED

    
    

    
  
Verified crash on 1.9.23 on XP with PoC. Verified fix for 1.9.2 in nightly 1.9.24pre build (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24pre) Gecko/20111029 Namoroka/3.6.24pre (.NET CLR 3.5.30729)).
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2

    
    

    
  
Does this issue have a CVE id?

    
    

    
  
(In reply to Huzaifa Sidhpurwala from comment #12)
> Does this issue have a CVE id?

Not that I know of, Daniel?

    
    

    
  
What's the exact date of releasing? I think that it's today, but the hour and timezone?
Group: core-security

    
    

    
  
without advisory...why?
http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
I guess for comment #2 but if it's not a security bug, why do you have kept it private?

Please, someone could give a clarification.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: