Closed
Bug 760996
(CVE-2012-3970)
Opened 13 years ago
Closed 13 years ago
Heap-use-after-free in nsTArray_base<nsTArrayDefaultAllocator>::Length()
Categories
(Core :: SVG, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox15 | + | fixed |
| firefox16 | + | verified |
| firefox-esr10 | --- | unaffected |
People
(Reporter: ax330d, Assigned: dholbert)
References
(Blocks 1 open bug)
Details
(6 keywords, Whiteboard: [advisory-tracking+][asan] fixed by bug 761507)
Attachments
(2 files)
ASan detected use-after-free when running attached test-case. ASan log is for build http://hg.mozilla.org/mozilla-central/rev/12ab69851e05
When testing, was not able to reproduce on Windows 7 x64 - nor stable, neither 15.0a1. Crashes for me only on Linux (Ubuntu 11.10 x64)
|
Reporter | |
Comment 1•13 years ago
|
||
Component: Untriaged → SVG
Product: Firefox → Core
QA Contact: untriaged → general
|
||
Comment 2•13 years ago
|
||
Is DOMSVGTests.cpp only a test file, or is that present in release builds? Is the problem _in_ the SVG file or is it a bug in the underlying nsTArray?
Daniel: can you find an owner for this one? Thanks!
Assignee: nobody → dholbert
|
Assignee | |
Comment 3•13 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is DOMSVGTests.cpp only a test file, or is that present in release builds?
Present in release builds. It lets authors render different content depending on available features & the system language.
> Is the problem _in_ the SVG file or is it a bug in the underlying nsTArray?
It's almost certainly a SVG bug.
> Daniel: can you find an owner for this one? Thanks!
CC'ing longsonr, since he wrote that file and has been working with that code recently.
In fact -- I'd bet that this is fixed by his patch on bug 761507. (That patch lets us keep DOMSVGTests' PropertyTable entries around after adoptNode is called, and this bug's ASAN log is in nsDocument::AdoptNode() calling nsPropertyTable::PropertyList::DeletePropertyFor, so I doubt we'll hit the ASAN-flagged stack anymore.)
That patch has landed on mozilla-inbound, but it hasn't quite made it to mozilla-central yet. Once it does, it'd be awesome if Arthur or someone with ASAN configuration could re-test to verify that this is fixed.
Whiteboard: [dupe of bug 761507?]
|
|
Assignee | |
Comment 4•13 years ago
|
||
bug 761507's patch has now made it to mozilla-central (bug 761507 comment 9).
:decoder tells me he's making automated Linux 64-bit ASAN builds now, so I tried the one from yesterday and the one from today -- those are, in order:
http://people.mozilla.org/~choller/firefox/asan/20120606-mozilla-central-debug-a6c39a15557b+asan.html
http://people.mozilla.org/~choller/firefox/asan/20120607-mozilla-central-debug-7e4c2abb9fc9+asan.html
Using the testcase attached here, yesterday's build crashes and reports a use-after-free. Today's build is fine -- no crash, no use-after-free. So, confirmed fixed by bug 761507. Pretty sure this is a duplicate of that bug -- marking as such.
Thanks for the bug report, Arthur!
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: [dupe of bug 761507?]
Version: 15 Branch → Trunk
|
|
Assignee | |
Comment 5•13 years ago
|
||
...though note that, for security-bug-bounty purposes, this bug here was filed before bug 761507 (as well as before related bug 761499).
|
|
||
Comment 6•13 years ago
|
||
Daniel: if you don't mind I'd like to call this one "FIXED" rather than "DUPE" as a testing hint that we should verify this testcase separately to be sure. I'm going to save Al some work by marking this verified based on comment 4, but we should double-check when this lands on Aurora (to make Firefox 15).
Status: RESOLVED → VERIFIED
status-firefox-esr10:
--- → unaffected
status-firefox15:
--- → affected
status-firefox16:
--- → verified
tracking-firefox15:
--- → +
tracking-firefox16:
--- → +
Resolution: DUPLICATE → FIXED
Whiteboard: fixed by bug 761507
|
|
||
Updated•13 years ago
|
Blocks: 754592
Keywords: regression
|
||
Comment 8•13 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #5)
> ...though note that, for security-bug-bounty purposes, this bug here was
> filed before bug 761507 (as well as before related bug 761499).
According to http://www.mozilla.org/security/bug-bounty.html the bug must be in a Beta or release candidate. Unless we fail to fix it in Aurora, that won't be the case will it?
|
||
Comment 9•13 years ago
|
||
(In reply to Robert Longson from comment #8)
> According to http://www.mozilla.org/security/bug-bounty.html the bug must be
> in a Beta or release candidate. Unless we fail to fix it in Aurora, that
> won't be the case will it?
I don't think the document is right there, or at least the formulation is misleading. Even nightly is eligible for bug bounty and has always been since I learned about the program.
|
|
||
Comment 10•13 years ago
|
||
Someone should update the document to match reality then.
|
|
||
Comment 11•13 years ago
|
||
(In reply to Robert Longson from comment #10)
> Someone should update the document to match reality then.
The FAQ has always said
http://www.mozilla.org/security/bug-bounty-faq.html#development-releases
|
||
Comment 12•13 years ago
|
||
Fixed by bug 761507, fixed in 15.
|
||
Updated•13 years ago
|
Whiteboard: fixed by bug 761507 → [advisory-tracking+] fixed by bug 761507
|
|
||
Updated•13 years ago
|
Alias: CVE-2012-3970
|
|
||
Updated•12 years ago
|
Group: core-security
|
|
||
Updated•12 years ago
|
Whiteboard: [advisory-tracking+] fixed by bug 761507 → [advisory-tracking+][asan] fixed by bug 761507
|
|
||
Updated•8 years ago
|
Keywords: csectype-uaf
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•