Bug 750109 (CVE-2012-1946)

Use-after-free in nsINode::ReplaceOrInsertBefore

VERIFIED FIXED

Status

()

Core
DOM
VERIFIED FIXED
5 years ago
6 months ago

People

(Reporter: Arthur Gerkis, Assigned: smaug)

Tracking

({csectype-uaf, regression, sec-critical})

12 Branch
csectype-uaf, regression, sec-critical
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox12 wontfix, firefox13+ fixed, firefox14+ fixed, firefox15+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [asan][sg:critical][advisory-tracking+])

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 619433 [details]
PoC triggering the crash.

Use-after-free is triggered during replacing/inserting node in document. 

Crashes on:
  - 14.0a1 (Ubuntu 11.11, Linux x86-64), 
  - 15.0a1 (Windows 7, x86-64), 
  - 12.0 (Windows XP SP3).
Does not crash on 10.0.2.

Attached test-case is a bit flaky, but it will crash browser after 2-5 reloads. ASan log is from version 14.0a1.
(Reporter)

Comment 1

5 years ago
Created attachment 619434 [details]
ASan log
Component: General → DOM
Product: Firefox → Core
QA Contact: general → general
Confirmed with this try build: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/decoder@own-hero.net-37896b6df18d/try-linux64-debug/firefox-15.0a1.en-US.linux-x86_64.tar.bz2

Had to reload the test twice as described, but then it reproduced.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Updated

5 years ago
Assignee: nobody → bugs
(Assignee)

Comment 3

5 years ago
Created attachment 619439 [details] [diff] [review]
patch
Attachment #619439 - Flags: review?
(Assignee)

Updated

5 years ago
Attachment #619439 - Flags: review? → review?(hsivonen)
(Assignee)

Updated

5 years ago
tracking-firefox12: --- → ?
tracking-firefox13: --- → ?
tracking-firefox14: --- → ?
tracking-firefox15: --- → ?
Whiteboard: [asan]
Does not crash on 10.0.x because outerHTML wasn't implemented until Firefox 11.
Blocks: 92264
status-firefox-esr10: --- → unaffected
status-firefox12: --- → wontfix
status-firefox13: --- → affected
status-firefox14: --- → affected
status-firefox15: --- → affected
tracking-firefox12: ? → ---
tracking-firefox13: ? → +
tracking-firefox14: ? → +
tracking-firefox15: ? → +
Keywords: regression
Attachment #619439 - Flags: review+
Attachment #619439 - Flags: review?(hsivonen) → review+
Is this an exploitable crash?
(Assignee)

Comment 7

5 years ago
I believe so
Attachment #619433 - Attachment mime type: text/plain → text/html
Keywords: sec-critical
Whiteboard: [asan] → [asan][sg:critical]
Anything preventing this from being checked in?

The patch is very safe so I guess we might want to wait with pushing to all branches until the late in the cycle?
(Assignee)

Comment 9

5 years ago
Uh, I thought I had pushed this.
(Assignee)

Comment 10

5 years ago
https://hg.mozilla.org/mozilla-central/rev/6e9d62160729
No longer blocks: 92264
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Comment 11

5 years ago
Comment on attachment 619439 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 92264
User impact if declined: crash
Testing completed (on m-c, etc.): just landed
Risk to taking this patch (and alternatives if risky): Should be super-safe
String or UUID changes made by this patch: NA
Attachment #619439 - Flags: approval-mozilla-beta?
Attachment #619439 - Flags: approval-mozilla-aurora?

Updated

5 years ago
Blocks: 92264
Comment on attachment 619439 [details] [diff] [review]
patch

[Triage Comment]
Please land as soon as possible to make the 5/22 beta 5 go to build. Thanks!
Attachment #619439 - Flags: approval-mozilla-beta?
Attachment #619439 - Flags: approval-mozilla-beta+
Attachment #619439 - Flags: approval-mozilla-aurora?
Attachment #619439 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 13

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/dcc4f7b30335
https://hg.mozilla.org/releases/mozilla-beta/rev/c8c144ad1185
status-firefox13: affected → fixed
status-firefox14: affected → fixed
status-firefox15: affected → fixed
Whiteboard: [asan][sg:critical] → [asan][sg:critical][advisory-tracking+]
I just did an ASAN build on OS X 10.7 and had one from three days ago as well. Pre-fix, I see the bug. With the current builds, I do not. Marking verified for trunk.
Status: RESOLVED → VERIFIED
Alias: CVE-2012-1946
Group: core-security
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
Keywords: csectype-uaf
You need to log in before you can comment on or make changes to this bug.