Last Comment Bug 750109 - (CVE-2012-1946) Use-after-free in nsINode::ReplaceOrInsertBefore
: Use-after-free in nsINode::ReplaceOrInsertBefore
: csectype-uaf, regression, sec-critical
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 12 Branch
: All All
-- normal (vote)
: ---
Assigned To: Olli Pettay [:smaug] (pto-ish for couple of days)
: Andrew Overholt [:overholt]
Depends on:
Blocks: 92264
  Show dependency treegraph
Reported: 2012-04-29 12:35 PDT by Arthur Gerkis
Modified: 2016-12-01 13:31 PST (History)
8 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

PoC triggering the crash. (327 bytes, text/html)
2012-04-29 12:35 PDT, Arthur Gerkis
no flags Details
ASan log (5.74 KB, text/plain)
2012-04-29 12:37 PDT, Arthur Gerkis
no flags Details
patch (1.36 KB, patch)
2012-04-29 13:04 PDT, Olli Pettay [:smaug] (pto-ish for couple of days)
hsivonen: review+
jonas: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description User image Arthur Gerkis 2012-04-29 12:35:52 PDT
Created attachment 619433 [details]
PoC triggering the crash.

Use-after-free is triggered during replacing/inserting node in document. 

Crashes on:
  - 14.0a1 (Ubuntu 11.11, Linux x86-64), 
  - 15.0a1 (Windows 7, x86-64), 
  - 12.0 (Windows XP SP3).
Does not crash on 10.0.2.

Attached test-case is a bit flaky, but it will crash browser after 2-5 reloads. ASan log is from version 14.0a1.
Comment 1 User image Arthur Gerkis 2012-04-29 12:37:01 PDT
Created attachment 619434 [details]
ASan log
Comment 2 User image Christian Holler (:decoder) 2012-04-29 12:52:28 PDT
Confirmed with this try build:

Had to reload the test twice as described, but then it reproduced.
Comment 3 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2012-04-29 13:04:42 PDT
Created attachment 619439 [details] [diff] [review]
Comment 4 User image Daniel Veditz [:dveditz] 2012-04-29 20:57:34 PDT
Does not crash on 10.0.x because outerHTML wasn't implemented until Firefox 11.
Comment 6 User image Al Billings [:abillings] 2012-05-02 10:51:13 PDT
Is this an exploitable crash?
Comment 7 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2012-05-11 02:15:41 PDT
I believe so
Comment 8 User image Jonas Sicking (:sicking) No longer reading bugmail consistently 2012-05-18 15:01:47 PDT
Anything preventing this from being checked in?

The patch is very safe so I guess we might want to wait with pushing to all branches until the late in the cycle?
Comment 9 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2012-05-19 05:07:04 PDT
Uh, I thought I had pushed this.
Comment 10 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2012-05-20 13:57:15 PDT
Comment 11 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2012-05-20 13:58:44 PDT
Comment on attachment 619439 [details] [diff] [review]

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 92264
User impact if declined: crash
Testing completed (on m-c, etc.): just landed
Risk to taking this patch (and alternatives if risky): Should be super-safe
String or UUID changes made by this patch: NA
Comment 12 User image Alex Keybl [:akeybl] 2012-05-21 15:18:08 PDT
Comment on attachment 619439 [details] [diff] [review]

[Triage Comment]
Please land as soon as possible to make the 5/22 beta 5 go to build. Thanks!
Comment 14 User image Al Billings [:abillings] 2012-05-22 18:03:24 PDT
I just did an ASAN build on OS X 10.7 and had one from three days ago as well. Pre-fix, I see the bug. With the current builds, I do not. Marking verified for trunk.
Comment 15 User image Raymond Forbes[:rforbes] 2013-07-19 18:21:25 PDT

Note You need to log in before you can comment on or make changes to this bug.