Last Comment Bug 750109 - (CVE-2012-1946) Use-after-free in nsINode::ReplaceOrInsertBefore
(CVE-2012-1946)
: Use-after-free in nsINode::ReplaceOrInsertBefore
Status: VERIFIED FIXED
[asan][sg:critical][advisory-tracking+]
: regression, sec-critical
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 12 Branch
: All All
: -- normal (vote)
: ---
Assigned To: Olli Pettay [:smaug] (TPAC)
:
Mentors:
Depends on:
Blocks: 92264
  Show dependency treegraph
 
Reported: 2012-04-29 12:35 PDT by Arthur Gerkis
Modified: 2014-06-30 12:07 PDT (History)
8 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
+
fixed
+
fixed
+
fixed
unaffected


Attachments
PoC triggering the crash. (327 bytes, text/html)
2012-04-29 12:35 PDT, Arthur Gerkis
no flags Details
ASan log (5.74 KB, text/plain)
2012-04-29 12:37 PDT, Arthur Gerkis
no flags Details
patch (1.36 KB, patch)
2012-04-29 13:04 PDT, Olli Pettay [:smaug] (TPAC)
hsivonen: review+
jonas: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Arthur Gerkis 2012-04-29 12:35:52 PDT
Created attachment 619433 [details]
PoC triggering the crash.

Use-after-free is triggered during replacing/inserting node in document. 

Crashes on:
  - 14.0a1 (Ubuntu 11.11, Linux x86-64), 
  - 15.0a1 (Windows 7, x86-64), 
  - 12.0 (Windows XP SP3).
Does not crash on 10.0.2.

Attached test-case is a bit flaky, but it will crash browser after 2-5 reloads. ASan log is from version 14.0a1.
Comment 1 Arthur Gerkis 2012-04-29 12:37:01 PDT
Created attachment 619434 [details]
ASan log
Comment 2 Christian Holler (:decoder) 2012-04-29 12:52:28 PDT
Confirmed with this try build: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/decoder@own-hero.net-37896b6df18d/try-linux64-debug/firefox-15.0a1.en-US.linux-x86_64.tar.bz2

Had to reload the test twice as described, but then it reproduced.
Comment 3 Olli Pettay [:smaug] (TPAC) 2012-04-29 13:04:42 PDT
Created attachment 619439 [details] [diff] [review]
patch
Comment 4 Daniel Veditz [:dveditz] 2012-04-29 20:57:34 PDT
Does not crash on 10.0.x because outerHTML wasn't implemented until Firefox 11.
Comment 6 Al Billings [:abillings] 2012-05-02 10:51:13 PDT
Is this an exploitable crash?
Comment 7 Olli Pettay [:smaug] (TPAC) 2012-05-11 02:15:41 PDT
I believe so
Comment 8 Jonas Sicking (:sicking) No longer reading bugmail consistently 2012-05-18 15:01:47 PDT
Anything preventing this from being checked in?

The patch is very safe so I guess we might want to wait with pushing to all branches until the late in the cycle?
Comment 9 Olli Pettay [:smaug] (TPAC) 2012-05-19 05:07:04 PDT
Uh, I thought I had pushed this.
Comment 10 Olli Pettay [:smaug] (TPAC) 2012-05-20 13:57:15 PDT
https://hg.mozilla.org/mozilla-central/rev/6e9d62160729
Comment 11 Olli Pettay [:smaug] (TPAC) 2012-05-20 13:58:44 PDT
Comment on attachment 619439 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 92264
User impact if declined: crash
Testing completed (on m-c, etc.): just landed
Risk to taking this patch (and alternatives if risky): Should be super-safe
String or UUID changes made by this patch: NA
Comment 12 Alex Keybl [:akeybl] 2012-05-21 15:18:08 PDT
Comment on attachment 619439 [details] [diff] [review]
patch

[Triage Comment]
Please land as soon as possible to make the 5/22 beta 5 go to build. Thanks!
Comment 14 Al Billings [:abillings] 2012-05-22 18:03:24 PDT
I just did an ASAN build on OS X 10.7 and had one from three days ago as well. Pre-fix, I see the bug. With the current builds, I do not. Marking verified for trunk.
Comment 15 Raymond Forbes[:rforbes] 2013-07-19 18:21:25 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.