Closed
Bug 723446
(CVE-2012-0459)
Opened 13 years ago
Closed 13 years ago
Access to a keyframe's cssText after dynamic modification always crashes Gecko
Categories
(Core :: DOM: CSS Object Model, defect, P1)
Core
DOM: CSS Object Model
Tracking
()
VERIFIED
FIXED
mozilla13
People
(Reporter: glazou, Assigned: bzbarsky)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical][qa!])
Crash Data
Attachments
(2 files)
1.22 KB,
text/html
|
Details | |
1.67 KB,
patch
|
dbaron
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following test modifies a keyframe through JS and then reads its cssText twice. Gecko will always crash, sometimes at first read, sometimes at second: http://glazman.org/tmp/cssanim_bug.html Verified on OS X and Linux 32bits with 12.0a1. Related crash reports: bp-7624db3c-492f-42f1-9364-e2f132120202 bp-8eaecc4f-b4f1-4b5c-870c-b235b2120202 bp-9c64754f-0056-48eb-936f-0f4a62120202 bp-4237d936-28e5-4f62-8a00-f5d9c2120202 bp-9c32ddbf-211f-4d7d-9897-448002120202 This bug blocks the CSS Animations' editor I am currently working on for BlueGriffon.
Comment 1•13 years ago
|
||
I can reproduce it on Windows: bp-a273ec4c-38cb-48ee-b455-b85252120202 bp-1f146839-8bb8-460d-94c0-967542120202 bp-dab15220-8dc3-4a77-bd1d-6af492120202
Assignee | ||
Comment 2•13 years ago
|
||
(gdb) frame 3 #3 0x00000001020fbf03 in nsCSSKeyframeRule::GetCssText (this=0x122f867c0, aCssText=@0x118f9dba0) at ../../../mozilla/layout/style/nsCSSRules.cpp:1892 1892 mDeclaration->ToString(tmp); (gdb) p mDeclaration.mRawPtr $5 = (class mozilla::css::Declaration *) 0x122fc9160 (gdb) p/x mDeclaration.mRawPtr $6 = 0x122fc9160 (gdb) frame 3 #3 0x00000001020fbf03 in nsCSSKeyframeRule::GetCssText (this=0x122f867c0, aCssText=@0x118f9dba0) at ../../../mozilla/layout/style/nsCSSRules.cpp:1892 1892 mDeclaration->ToString(tmp); (gdb) p mDeclaration.mRawPtr $7 = (class mozilla::css::Declaration *) 0x122fc9160 (gdb) p/x *mDeclaration.mRawPtr $8 = { mOrder = { <nsAutoArrayBase<nsTArray<unsigned char, nsTArrayDefaultAllocator>,8u>> = { <nsTArray<unsigned char,nsTArrayDefaultAllocator>> = { <nsTArray_base<nsTArrayDefaultAllocator>> = { mHdr = 0x5a5a5a5a5a5a5a5a }, <nsTArray_SafeElementAtHelper<unsigned char,nsTArray<unsigned char, nsTArrayDefaultAllocator> >> = {<No data fields>}, <No data fields>}, members of nsAutoArrayBase<nsTArray<unsigned char, nsTArrayDefaultAllocator>,8u>: { mAutoBuf = {0x5a <repeats 16 times>}, mAlign = { elem = 0x5a } } }, <No data fields>}, mData = { mRawPtr = 0x5a5a5a5a5a5a5a5a }, mImportantData = { mRawPtr = 0x5a5a5a5a5a5a5a5a }, mImmutable = 0x1 }
Group: core-security
Assignee | ||
Comment 3•13 years ago
|
||
So what happens here is that the keyframe rule has: nsAutoPtr<mozilla::css::Declaration> mDeclaration; When we mutate the DOM declaration, the underlying CSS declaration is mutable, so we just change it in-place and call nsCSSKeyframeStyleDeclaration::SetCSSDeclaration. This calls nsCSSKeyframeRule::ChangeDeclaration which does: mDeclaration = aDeclaration; which deletes the declaration. In this case, mDeclaration == aDeclaration before assignment. We can either check that here, or change nsAutoPtr to handle this case...
Assignee | ||
Comment 4•13 years ago
|
||
And fwiw, I'd really appreciate attaching testcases, not linking to them... in this case it would be have been much much better. ;)
Assignee | ||
Comment 5•13 years ago
|
||
Assignee | ||
Comment 6•13 years ago
|
||
I can add tests, but we probably don't want to land those until we open up the bug....
Attachment #593833 -
Flags: review?(dbaron)
Comment on attachment 593833 [details] [diff] [review] Be a little more careful changing declarations on keyframe rules. r=dbaron Not sure what I think about nsAutoPtr now.
Attachment #593833 -
Flags: review?(dbaron) → review+
Assignee | ||
Comment 8•13 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/880df44948d8
Assignee: nobody → bzbarsky
tracking-firefox11:
--- → ?
tracking-firefox12:
--- → ?
Priority: -- → P1
Target Milestone: --- → mozilla13
Assignee | ||
Comment 9•13 years ago
|
||
Jesse, can you add this stuff to your fuzzers? This is the second bug we've had in it...
Assignee | ||
Comment 10•13 years ago
|
||
Comment on attachment 593833 [details] [diff] [review] Be a little more careful changing declarations on keyframe rules. [Approval Request Comment] Regression caused by (bug #): Initial landing of CSS Animations User impact if declined: Probably-exploitable crashes Testing completed (on m-c, etc.): Landed on m-c Risk to taking this patch (and alternatives if risky): Very low risk. Just avoids deleting an object we still care about. String changes made by this patch: None.
Attachment #593833 -
Flags: approval-mozilla-beta?
Attachment #593833 -
Flags: approval-mozilla-aurora?
Comment 11•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/880df44948d8
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 12•13 years ago
|
||
Comment on attachment 593833 [details] [diff] [review] Be a little more careful changing declarations on keyframe rules. [Triage Comment] Given where we are in the cycle and the low-risk nature of this patch, approving for Aurora 12 and Beta 11.
Attachment #593833 -
Flags: approval-mozilla-beta?
Attachment #593833 -
Flags: approval-mozilla-beta+
Attachment #593833 -
Flags: approval-mozilla-aurora?
Attachment #593833 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 13•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-aurora/rev/68fb495e3183 http://hg.mozilla.org/releases/mozilla-beta/rev/edef91ca0282
status-firefox11:
--- → fixed
status-firefox12:
--- → fixed
Updated•13 years ago
|
Updated•13 years ago
|
status-firefox-esr10:
--- → affected
status-firefox10:
--- → wontfix
tracking-firefox-esr10:
--- → 11+
Whiteboard: [qa+] → [sg:critical][qa+]
Comment 14•13 years ago
|
||
Crash in 10.0.2 on OS X 10.7.2: bp-db84aa15-8156-4423-ba6c-76c472120224
status-firefox-esr10:
affected → ---
status-firefox10:
wontfix → ---
tracking-firefox-esr10:
11+ → ---
Updated•13 years ago
|
status-firefox-esr10:
--- → affected
status-firefox10:
--- → wontfix
tracking-firefox-esr10:
--- → 11+
Comment 16•13 years ago
|
||
[Triage comment] This bug is being tracked for landing on ESR branch. Please land patches on http://hg.mozilla.org/releases/mozilla-esr10/by Thursday March 1, 2012 in order to be ready for go-to-build on Friday March 2, 2012. See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more information.
Assignee | ||
Comment 17•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-esr10/rev/80653ae3ce0e
Comment 18•13 years ago
|
||
Checked crashing PoC with 1.9.2.27 on OS X and XP SP3. No crashes. Marking 1.9.2 as unaffected.
status1.9.2:
--- → unaffected
Comment 19•13 years ago
|
||
verified with latest builds of esr10, fx11, fx12 and fx13 on Mac and Win XP
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
Updated•13 years ago
|
Alias: CVE-2012-0459
(In reply to Boris Zbarsky (:bz) from comment #3) > We can either check that here, or change nsAutoPtr to handle this case... Can we fix nsAutoPtr? This seems like a massive footgun.
Assignee | ||
Comment 22•13 years ago
|
||
I asked bsmedberg; he was happier with not, but feel free to try to convince him otherwise. The cost is an extra branch on every assignment to an nsAutoPtr.
Updated•13 years ago
|
Group: core-security
Comment 23•12 years ago
|
||
> Jesse, can you add this stuff to your fuzzers? This is the second bug we've had
> in it...
Better keyframes testing: af88c213f88a, f30ca3bed7d7
Better cssRules testing: 065587740d67, 04de0dd4d228
Comment 24•12 years ago
|
||
> Can we fix nsAutoPtr? This seems like a massive footgun. Bug 827596.
You need to log in
before you can comment on or make changes to this bug.
Description
•