Closed Bug 750109 (CVE-2012-1946) Opened 13 years ago Closed 13 years ago

Use-after-free in nsINode::ReplaceOrInsertBefore

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
12 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox12 --- wontfix
firefox13 + fixed
firefox14 + fixed
firefox15 + fixed
firefox-esr10 --- unaffected

People

(Reporter: ax330d, Assigned: smaug)

References

Details

(4 keywords, Whiteboard: [asan][sg:critical][advisory-tracking+])

Attachments

(3 files)

PoC triggering the crash.
327 bytes, text/html
Details
ASan log
5.74 KB, text/plain
Details
patch
1.36 KB, patch
hsivonen
: review+
sicking
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review
Use-after-free is triggered during replacing/inserting node in document. Crashes on: - 14.0a1 (Ubuntu 11.11, Linux x86-64), - 15.0a1 (Windows 7, x86-64), - 12.0 (Windows XP SP3). Does not crash on 10.0.2. Attached test-case is a bit flaky, but it will crash browser after 2-5 reloads. ASan log is from version 14.0a1.
Attached file ASan log
Component: General → DOM
Product: Firefox → Core
QA Contact: general → general
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → bugs
Attached patch patchSplinter Review
Attachment #619439 - Flags: review?
Attachment #619439 - Flags: review? → review?(hsivonen)
Whiteboard: [asan]
Does not crash on 10.0.x because outerHTML wasn't implemented until Firefox 11.
Blocks: 92264
status-firefox-esr10: --- → unaffected
status-firefox12: --- → wontfix
status-firefox13: --- → affected
status-firefox14: --- → affected
status-firefox15: --- → affected
tracking-firefox12: ? → ---
tracking-firefox13: ?+
tracking-firefox14: ?+
tracking-firefox15: ?+
Keywords: regression
Attachment #619439 - Flags: review?(hsivonen) → review+
Is this an exploitable crash?
I believe so
Attachment #619433 - Attachment mime type: text/plain → text/html
Keywords: sec-critical
Whiteboard: [asan] → [asan][sg:critical]
Anything preventing this from being checked in? The patch is very safe so I guess we might want to wait with pushing to all branches until the late in the cycle?
Uh, I thought I had pushed this.
https://hg.mozilla.org/mozilla-central/rev/6e9d62160729
No longer blocks: 92264
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 619439 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 92264 User impact if declined: crash Testing completed (on m-c, etc.): just landed Risk to taking this patch (and alternatives if risky): Should be super-safe String or UUID changes made by this patch: NA
Attachment #619439 - Flags: approval-mozilla-beta?
Attachment #619439 - Flags: approval-mozilla-aurora?
Comment on attachment 619439 [details] [diff] [review] patch [Triage Comment] Please land as soon as possible to make the 5/22 beta 5 go to build. Thanks!
Attachment #619439 - Flags: approval-mozilla-beta?
Attachment #619439 - Flags: approval-mozilla-beta+
Attachment #619439 - Flags: approval-mozilla-aurora?
Attachment #619439 - Flags: approval-mozilla-aurora+
Whiteboard: [asan][sg:critical] → [asan][sg:critical][advisory-tracking+]
I just did an ASAN build on OS X 10.7 and had one from three days ago as well. Pre-fix, I see the bug. With the current builds, I do not. Marking verified for trunk.
Status: RESOLVED → VERIFIED
Alias: CVE-2012-1946
Group: core-security
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: