Last Comment Bug 756792 - Heap-buffer-overflow due to IcedTea plugin
: Heap-buffer-overflow due to IcedTea plugin
Status: RESOLVED INVALID
: sec-vector
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: 14 Branch
: x86_64 Linux
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-19 09:35 PDT by Arthur Gerkis
Modified: 2013-02-26 13:15 PST (History)
9 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
test-case (.zip) triggering the crash (764 bytes, application/java-archive)
2012-05-19 09:35 PDT, Arthur Gerkis
no flags Details
ASan log (symbolized) (2.04 KB, text/plain)
2012-05-19 09:36 PDT, Arthur Gerkis
no flags Details
ASan log (non-symbolized, just to see the paths) (2.26 KB, text/plain)
2012-05-19 09:37 PDT, Arthur Gerkis
no flags Details
Patch to fix this issue (689 bytes, patch)
2012-10-18 10:48 PDT, Deepak Bhole
no flags Details | Diff | Splinter Review
Final fix for this issue (1.64 KB, patch)
2012-11-01 21:12 PDT, Deepak Bhole
no flags Details | Diff | Splinter Review

Description Arthur Gerkis 2012-05-19 09:35:52 PDT
Created attachment 625421 [details]
test-case (.zip) triggering the crash

ASan reported heap-buffer-overflow after triggering event attached to applet loaded with IcedTea plugin.
 
Environment information:
java version "1.6.0_23"
OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2)
OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)

Tested only on Linux x64, 14 and 15 branch.
Comment 1 Arthur Gerkis 2012-05-19 09:36:35 PDT
Created attachment 625422 [details]
ASan log (symbolized)
Comment 2 Arthur Gerkis 2012-05-19 09:37:14 PDT
Created attachment 625423 [details]
ASan log (non-symbolized, just to see the paths)
Comment 3 Benjamin Smedberg AWAY UNTIL 2-AUG-2016 [:bsmedberg] 2012-05-19 13:57:37 PDT
Why don't we have symbols for the plugin? Isn't it an open-source plugin?

What file format is the testcase?
Comment 4 Arthur Gerkis 2012-05-20 05:13:18 PDT
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #3)
> 
> What file format is the testcase?

Not sure what do you mean - isn't test-case working for you? There should be two files in zip archive - run.html and TestApplet.class, one have to open run.html.
Comment 5 Benjamin Smedberg AWAY UNTIL 2-AUG-2016 [:bsmedberg] 2012-05-21 05:32:11 PDT
Comment on attachment 625421 [details]
test-case (.zip) triggering the crash

Bugzilla doesn't show file names, so I had no way of knowing that it was a zip
Comment 6 Daniel Veditz [:dveditz] 2012-05-23 10:54:05 PDT
Could be an off-by-one in IcedTea itself... who maintains that?
Comment 7 David Bolter [:davidb] 2012-08-29 11:52:10 PDT
Jorge, do you know who maintains IcedTea?
Comment 8 Jorge Villalobos [:jorgev] 2012-08-29 12:44:42 PDT
According to bug 739955 comment #65, it is Deepak Bhole (dbhole@redhat.com).
Comment 9 Al Billings [:abillings] 2012-10-12 16:25:09 PDT
Adding Deepak since no one else did.
Comment 10 Deepak Bhole 2012-10-18 10:48:05 PDT
Created attachment 672849 [details] [diff] [review]
Patch to fix this issue

Thank you for adding me to cc: Al. I have investigated the issue and found the underlying cause. Since the reproducer is already posted here, I see no reason not to post the proposed fix as well. With attached patch, the heap overflow is curtailed and ASAN shows no errors.

I will talk to our security team to do a proper release as appropriate and will post the details here once I have them.
Comment 11 Deepak Bhole 2012-11-01 21:12:56 PDT
Created attachment 677652 [details] [diff] [review]
Final fix for this issue

Hi. I am attaching the latest (and final) proposed fix for this issue. Tomas Hoger from our security team found a couple of other potential problem areas and while investigating, we also found some memory leaks. This patch addresses all issues.

We have assigned a CVE for this (CVE-2012-4540) and the unembargo date is tentatively set for November 7th 2012.
Comment 12 Al Billings [:abillings] 2012-11-02 12:02:17 PDT
Do we need to check this in somewhere?
Comment 13 Benjamin Smedberg AWAY UNTIL 2-AUG-2016 [:bsmedberg] 2012-11-02 12:16:40 PDT
No, this is a bug/fix in the icetea java plugin and is not a bug in any Mozilla product. Marking INVALID for now, and we can clear the security flag once the embargo is lifted.
Comment 14 Deepak Bhole 2012-11-02 12:17:39 PDT
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #13)
> No, this is a bug/fix in the icetea java plugin and is not a bug in any
> Mozilla product. Marking INVALID for now, and we can clear the security flag
> once the embargo is lifted.

Thanks. 

I posted the patch here just as an FYI. Mozilla product code is not affected in any way.
Comment 15 Tomas Hoger 2012-11-07 10:41:33 PST
Fixed in IcedTea-Web 1.1.7, 1.2.2 and 1.3.1:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html
Comment 16 Jesse Ruderman 2013-02-22 15:58:59 PST
Is it ok to make this bug report public now?
Comment 17 Deepak Bhole 2013-02-25 11:10:19 PST
Yes, the fix has been publicly released for a while now and there is no harm in opening this bug.

Note You need to log in before you can comment on or make changes to this bug.