Use-after-free (nsFrameList::DestroyFrames) in Mozilla Products

VERIFIED FIXED

Status

()

Core
Layout
--
critical
VERIFIED FIXED
6 years ago
6 months ago

People

(Reporter: Jose A. Vazquez, Assigned: mats)

Tracking

(4 keywords)

1.9.2 Branch
x86
Windows XP
crash, csectype-uaf, testcase, verified1.9.2
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox7 unaffected, firefox8 unaffected, firefox9 unaffected, status1.9.2 .24-fixed)

Details

(Whiteboard: [sg:dos] frame-poisoning)

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 553636 [details]
Proof Of Concept

-----------------------------------------------------------------
Use-after-free (nsFrameList::DestroyFrames) in Mozilla Products
-----------------------------------------------------------------


Affected products: Firefox and Thunderbird
Vulnerable versions: 3.x
Tested on: Firefox <= 3.6.20 and Thunderbird <= 3.1.12
OS: Windows XP SP3 (Spanish)


-------------
DESCRIPTION
-------------


A vulnerability where Firefox/Thunderbird uses memory not initialized could allow remote execution using a crafted web.
Doing a bad nesting with especially li, ul, dd and a bad tag and also using some css properties, Firefox/Thunderbird got 
crashed in an exploitable way.


----------
ANALYSIS
----------


[*] Using Thunderbird client:



(b8.6e4): Break instruction exception - code 80000003 (first chance)
eax=7ffdf000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c91120e esp=03f5ffcc ebp=03f5fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c91120e cc              int     3
0:019> g
ModLoad: 72ca0000 72ca9000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 76bf0000 76c1e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 77a50000 77ae6000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77af0000 77b02000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 76c50000 76c78000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 72ca0000 72ca9000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 72c90000 72c98000   C:\WINDOWS\system32\msacm32.drv
ModLoad: 77bb0000 77bc5000   C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77ba0000 77ba7000   C:\WINDOWS\system32\midimap.dll
(b8.df0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=f0de7fff ebx=00000018 ecx=074cb218 edx=00000000 esi=f0de7fff edi=0646f894
eip=006d8305 esp=0012c1d8 ebp=0012c214 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
thunderbird!nsFrameList::DestroyFrames+0xf:
006d8305 ff5008          call    dword ptr [eax+8]    ds:0023:f0de8007=????????
0:000> !load winext/MSEC.dll
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xfffffffff0de8007
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:006d8305 call dword ptr [eax+8]

Exception Hash (Major/Minor): 0x3a440656.0x01787b2b

Stack Trace:
thunderbird!nsFrameList::DestroyFrames+0xf
thunderbird!nsFrameList::Destroy+0x8
thunderbird!nsContainerFrame::Destroy+0x75
thunderbird!nsBlockFrame::Destroy+0x89
thunderbird!nsContainerFrame::DeleteNextInFlowChild+0xc0
thunderbird!nsContainerFrame::DeleteNextInFlowChild+0x82
thunderbird!nsContainerFrame::ReflowChild+0xc5
thunderbird!nsColumnSetFrame::ReflowChildren+0x252
thunderbird!nsColumnSetFrame::Reflow+0x1cc
thunderbird!nsAbsoluteContainingBlock::ReflowAbsoluteFrame+0x115
thunderbird!nsAbsoluteContainingBlock::Reflow+0xa9
thunderbird!ViewportFrame::Reflow+0x129
thunderbird!PresShell::DoReflow+0x10e
thunderbird!PresShell::ProcessReflowCommands+0x7a
thunderbird!PresShell::FlushPendingNotifications+0x121
thunderbird!nsEditor::EndUpdateViewBatch+0x98
thunderbird!nsHTMLEditor::EndUpdateViewBatch+0xe
thunderbird!nsEditor::EndPlaceHolderTransaction+0x4e
thunderbird!nsAutoPlaceHolderBatch::~nsAutoPlaceHolderBatch+0x12
thunderbird!nsHTMLEditor::DoInsertHTMLWithContext+0x1c5
thunderbird!nsHTMLEditor::InsertHTMLWithContext+0x2b
thunderbird!nsHTMLEditor::InsertHTML+0x1f
xpcom_core!NS_InvokeByIndex_P+0x27
thunderbird!XPCWrappedNative::CallMethod+0xa65
thunderbird!XPC_WN_CallMethod+0xfa
js3250!js_Invoke+0x48d
js3250!js_Interpret+0x4567
js3250!js_Invoke+0x498
thunderbird!nsXPCWrappedJSClass::CallMethod+0xac6
thunderbird!nsXPCWrappedJS::CallMethod+0x27
xpcom_core!PrepareAndDispatch+0xe7
xpcom_core!SharedStub+0x16
thunderbird!nsEventListenerManager::HandleEventSubType+0x10e
thunderbird!nsTArray<XPCJSContextInfo>::AssignRange<JSContext *>+0x24
thunderbird!nsXPConnect::Push+0x21
thunderbird!nsEventTargetChainItem::HandleEvent+0x60
thunderbird!nsEventTargetChainItem::HandleEventTargetChain+0xf1
thunderbird!nsEventDispatcher::Dispatch+0x2fa
thunderbird!nsEventDispatcher::DispatchDOMEvent+0xbe
thunderbird!PresShell::HandleDOMEventWithTarget+0x3d
thunderbird!nsContentUtils::DispatchXULCommand+0x149
thunderbird!nsButtonBoxFrame::DoMouseClick+0x8f
thunderbird!nsScrollbarButtonFrame::MouseClicked+0xb
thunderbird!nsButtonBoxFrame::HandleEvent+0xc5
thunderbird!nsPresShellEventCB::HandleEvent+0x2d
thunderbird!nsEventTargetChainItem::HandleEventTargetChain+0x1a7
thunderbird!nsEventDispatcher::Dispatch+0x2fa
thunderbird!PresShell::HandleEventInternal+0x24e
thunderbird!PresShell::HandleEventWithTarget+0x21
thunderbird!nsEventStateManager::CheckForAndDispatchClick+0x107
thunderbird!nsEventStateManager::PostHandleEvent+0x3dc
thunderbird!PresShell::HandleEventInternal+0x2fb
thunderbird!PresShell::HandlePositionedEvent+0xc3
thunderbird!PresShell::HandleEvent+0x575
thunderbird!nsViewManager::HandleEvent+0x2f
thunderbird!nsViewManager::DispatchEvent+0x62f
thunderbird!HandleEvent+0x36
thunderbird!nsWindow::DispatchEvent+0x2d
thunderbird!nsWindow::DispatchWindowEvent+0x13
thunderbird!nsWindow::DispatchMouseEvent+0x41f
thunderbird!ChildWindow::DispatchMouseEvent+0x5d
thunderbird!nsWindow::ProcessMessage+0x948
thunderbird!nsWindow::WindowProc+0xbc
USER32!InternalCallWinProc+0x28
Instruction Address: 0x00000000006d8305

Description: Read Access Violation on Control Flow
Short Description: ReadAVonControlFlow
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation on Control Flow starting at thunderbird!nsFrameList::DestroyFrames+0x000000000000000f (Hash=0x3a440656.0x01787b2b)

Access violations not near null in control flow instructions are considered exploitable.




In mozilla/layout/generic/nsFrameList.cpp:


void
nsFrameList::Destroy()
{
  DestroyFrames(); <-- (1)
  delete this;
}

void
nsFrameList::DestroyFrames()
{
  nsIFrame* next;
  for (nsIFrame* frame = mFirstChild; frame; frame = next) {
    next = frame->GetNextSibling();
    frame->Destroy(); <-- (2) (CRASH)
    mFirstChild = next;
  }
}



[*] Using Firefox client:



First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=f0de7fff ebx=01d2cc00 ecx=07189940 edx=00000000 esi=040f3b78 edi=040f3b78
eip=100c4652 esp=0012b824 ebp=01d6e0a0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
xul!nsFrameList::DestroyFrames+0x12:
100c4652 8b5008          mov     edx,dword ptr [eax+8] ds:0023:f0de8007=????????
0:000> !load winext/MSEC.dll
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xfffffffff0de8007
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:100c4652 mov edx,dword ptr [eax+8]

Basic Block:
    100c4652 mov edx,dword ptr [eax+8]
       Tainted Input Operands: eax
    100c4655 mov esi,dword ptr [ecx+20h]
    100c4658 call edx
       Tainted Input Operands: edx

Exception Hash (Major/Minor): 0x29661f11.0x296b1410

Stack Trace:
xul!nsFrameList::DestroyFrames+0x12
xul!nsFrameList::Destroy+0x8
xul!nsContainerFrame::Destroy+0x30a5ba
xul!nsBlockFrame::DoRemoveFrame+0x372
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!do_QueryFrame::operator<nsBlockFrame> nsBlockFrame *+0xc
xul!nsBlockFrame::DoRemoveFrame+0x33f
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!RemoveBlockChild+0x31f653
xul!nsBlockFrame::DoRemoveFrame+0x33f
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!RemoveBlockChild+0x31f653
xul!nsBlockFrame::DoRemoveFrame+0x33f
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!RemoveBlockChild+0x31f653
xul!nsBlockFrame::DoRemoveFrame+0x33f
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!RemoveBlockChild+0x31f653
xul!nsBlockFrame::DoRemoveFrame+0x33f
xul!nsTArray<void *>::AppendElements<void *>+0x2b
xul!nsBlockReflowContext::ReflowBlock+0x330d92
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
xul!nsBlockFrame::Reflow+0x252
xul!nsBlockReflowContext::ReflowBlock+0xef
xul!nsBlockFrame::ReflowBlockFrame+0x43d
xul!nsBlockFrame::ReflowLine+0x168
xul!nsBlockFrame::ReflowDirtyLines+0x21a
Instruction Address: 0x00000000100c4652

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at xul!nsFrameList::DestroyFrames+0x0000000000000012 (Hash=0x29661f11.0x296b1410)

The data from the faulting address is later used as the target for a branch.



void
nsFrameList::DestroyFrames()
{
  nsIFrame* next;
  for (nsIFrame* frame = mFirstChild; frame; frame = next) {
    next = frame->GetNextSibling();
    frame->Destroy();  <-- (Crash)
    mFirstChild = next;
  }
}



------
Repro
------


Open PoC attached using:

a) Thunderbird (as attached mail or composing a message with HTML code).
b) Firefox (Remotely or locally).

Thuderbird/Firefox got crashed automatically.


---------
Credits
---------

Jose A. Vazquez of http://spa-s3c.blogspot.com
(Reporter)

Comment 1

6 years ago
Should I create another submission to include Thunderbird? Or you can change the affected products to both (firefox & thunderbird)?

cheers,
Jose.
A single bug will suffice for both since this is an engine bug. The addresses look like it's hit our "frame-poisoning" mitigation which would make that an unmapped and unexploitable address but that's off the top of my head and needs investigation.
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Version: 3.6 Branch → 1.9.2 Branch
Jose, any chance you could test this in Firefox 6 or even newer? Thanks!
(Reporter)

Comment 4

6 years ago
yep, tested in Firefox 6 and Thunderbird 6 and it's not vulnerable.
Btw, I also tested in Firefox 4 and 5 and not crashes.

Just affecting to firefox 3.6.x, I couldn't confirm in 3.x or 3.5.x.
(Reporter)

Comment 5

6 years ago
Status has not changed for a long time. Will fix them?
(Assignee)

Comment 6

6 years ago
Created attachment 561351 [details]
frame tree + stack for the assertion

I can reproduce this with a 1.9.2 DEBUG build on WinXP.

Before the crash there is this assertion:
###!!! ASSERTION: frame not in line: 'line->Contains(aDeletedFrame)', file layout/generic/nsBlockFrame.cpp, line 5515

Here's the stack for that assertion, aDeletedFrame is 0739FF98
and it has the NS_FRAME_IS_OVERFLOW_CONTAINER bit set and is on
the ExcessOverflowContainers-list frame list.

I suspect that what we want to do is take the path for
NS_FRAME_IS_OVERFLOW_CONTAINER frames at the start of nsBlockFrame::DoRemoveFrame but since this is a next-in-flow we didn't reach that block...
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout%2Fgeneric%2FnsBlockFrame.cpp#5285

On trunk we explicitly handle this case in the loop:
http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsBlockFrame.cpp#5434
(fixed in bug 564968)
(Assignee)

Comment 7

6 years ago
Created attachment 561360 [details] [diff] [review]
fix + tests
Assignee: nobody → matspal
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #561360 - Flags: review?(roc)
Comment on attachment 561360 [details] [diff] [review]
fix + tests

Review of attachment 561360 [details] [diff] [review]:
-----------------------------------------------------------------

::: layout/generic/nsBlockFrame.cpp
@@ +5563,5 @@
>  #endif
>  
> +    // If next-in-flow is an overflow container, must remove it first.
> +    if (deletedNextContinuation &&
> +        deletedNextContinuation->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER) {

() around the & expression
Attachment #561360 - Flags: review?(roc) → review+
(Assignee)

Updated

6 years ago
Attachment #561360 - Flags: approval1.9.2.23?
status1.9.2: --- → wanted
Keywords: crash, testcase
Whiteboard: [sg:dos] frame-poisoning
Comment on attachment 561360 [details] [diff] [review]
fix + tests

Approved for 1.9.2.24, a=dveditz for release-drivers
Attachment #561360 - Flags: approval1.9.2.23? → approval1.9.2.24+
(Assignee)

Comment 10

6 years ago
https://hg.mozilla.org/releases/mozilla-1.9.2/rev/4498af260a06
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
status1.9.2: wanted → .24-fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Verified crash on 1.9.23 on XP with PoC. Verified fix for 1.9.2 in nightly 1.9.24pre build (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24pre) Gecko/20111029 Namoroka/3.6.24pre (.NET CLR 3.5.30729)).
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
status-firefox7: --- → unaffected
status-firefox8: --- → unaffected
status-firefox9: --- → unaffected

Comment 12

6 years ago
Does this issue have a CVE id?
(Assignee)

Comment 13

6 years ago
(In reply to Huzaifa Sidhpurwala from comment #12)
> Does this issue have a CVE id?

Not that I know of, Daniel?
(Reporter)

Comment 14

6 years ago
What's the exact date of releasing? I think that it's today, but the hour and timezone?
Group: core-security
(Reporter)

Comment 15

6 years ago
without advisory...why?
http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
I guess for comment #2 but if it's not a security bug, why do you have kept it private?

Please, someone could give a clarification.
Keywords: csectype-uaf
You need to log in before you can comment on or make changes to this bug.