Last Comment Bug 760996 - (CVE-2012-3970) Heap-use-after-free in nsTArray_base<nsTArrayDefaultAllocator>::Length()
(CVE-2012-3970)
: Heap-use-after-free in nsTArray_base<nsTArrayDefaultAllocator>::Length()
Status: VERIFIED FIXED
[advisory-tracking+][asan] fixed by b...
: crash, csectype-uaf, regression, sec-critical, testcase
Product: Core
Classification: Components
Component: SVG (show other bugs)
: Trunk
: x86_64 Linux
: -- normal (vote)
: ---
Assigned To: Daniel Holbert [:dholbert]
:
: Jet Villegas (:jet)
Mentors:
Depends on: 761507
Blocks: 754592
  Show dependency treegraph
 
Reported: 2012-06-03 09:38 PDT by Arthur Gerkis
Modified: 2016-12-01 13:31 PST (History)
8 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
+
verified
unaffected


Attachments
test-case triggering the crash (*.zip) (884 bytes, application/octet-stream)
2012-06-03 09:38 PDT, Arthur Gerkis
no flags Details
ASan log (12ab69851e05) (4.11 KB, text/plain)
2012-06-03 09:38 PDT, Arthur Gerkis
no flags Details

Description Arthur Gerkis 2012-06-03 09:38:05 PDT
Created attachment 629613 [details]
test-case triggering the crash (*.zip)

ASan detected use-after-free when running attached test-case. ASan log is for build http://hg.mozilla.org/mozilla-central/rev/12ab69851e05

When testing, was not able to reproduce on Windows 7 x64 - nor stable, neither 15.0a1. Crashes for me only on Linux (Ubuntu 11.10 x64)
Comment 1 Arthur Gerkis 2012-06-03 09:38:34 PDT
Created attachment 629614 [details]
ASan log (12ab69851e05)
Comment 2 Daniel Veditz [:dveditz] 2012-06-06 10:27:16 PDT
Is DOMSVGTests.cpp only a test file, or is that present in release builds? Is the problem _in_ the SVG file or is it a bug in the underlying nsTArray?

Daniel: can you find an owner for this one? Thanks!
Comment 3 Daniel Holbert [:dholbert] 2012-06-06 10:47:32 PDT
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is DOMSVGTests.cpp only a test file, or is that present in release builds?

Present in release builds. It lets authors render different content depending on available features & the system language.

> Is the problem _in_ the SVG file or is it a bug in the underlying nsTArray?

It's almost certainly a SVG bug.

> Daniel: can you find an owner for this one? Thanks!

CC'ing longsonr, since he wrote that file and has been working with that code recently.

In fact -- I'd bet that this is fixed by his patch on bug 761507.  (That patch lets us keep DOMSVGTests' PropertyTable entries around after adoptNode is called, and this bug's ASAN log is in nsDocument::AdoptNode() calling nsPropertyTable::PropertyList::DeletePropertyFor, so I doubt we'll hit the ASAN-flagged stack anymore.)

That patch has landed on mozilla-inbound, but it hasn't quite made it to mozilla-central yet. Once it does, it'd be awesome if Arthur or someone with ASAN configuration could re-test to verify that this is fixed.
Comment 4 Daniel Holbert [:dholbert] 2012-06-07 10:22:43 PDT
bug 761507's patch has now made it to mozilla-central (bug 761507 comment 9).

:decoder tells me he's making automated Linux 64-bit ASAN builds now, so I tried the one from yesterday and the one from today -- those are, in order:
http://people.mozilla.org/~choller/firefox/asan/20120606-mozilla-central-debug-a6c39a15557b+asan.html
http://people.mozilla.org/~choller/firefox/asan/20120607-mozilla-central-debug-7e4c2abb9fc9+asan.html

Using the testcase attached here, yesterday's build crashes and reports a use-after-free.  Today's build is fine -- no crash, no use-after-free. So, confirmed fixed by bug 761507. Pretty sure this is a duplicate of that bug -- marking as such.

Thanks for the bug report, Arthur!

*** This bug has been marked as a duplicate of bug 761507 ***
Comment 5 Daniel Holbert [:dholbert] 2012-06-07 10:59:28 PDT
...though note that, for security-bug-bounty purposes, this bug here was filed before bug 761507 (as well as before related bug 761499).
Comment 6 Daniel Veditz [:dveditz] 2012-06-10 20:01:39 PDT
Daniel: if you don't mind I'd like to call this one "FIXED" rather than "DUPE" as a testing hint that we should verify this testcase separately to be sure. I'm going to save Al some work by marking this verified based on comment 4, but we should double-check when this lands on Aurora (to make Firefox 15).
Comment 8 Robert Longson 2012-06-10 22:23:27 PDT
(In reply to Daniel Holbert [:dholbert] from comment #5)
> ...though note that, for security-bug-bounty purposes, this bug here was
> filed before bug 761507 (as well as before related bug 761499).

According to http://www.mozilla.org/security/bug-bounty.html the bug must be in a Beta or release candidate. Unless we fail to fix it in Aurora, that won't be the case will it?
Comment 9 Christian Holler (:decoder) 2012-06-11 02:45:39 PDT
(In reply to Robert Longson from comment #8)
> According to http://www.mozilla.org/security/bug-bounty.html the bug must be
> in a Beta or release candidate. Unless we fail to fix it in Aurora, that
> won't be the case will it?

I don't think the document is right there, or at least the formulation is misleading. Even nightly is eligible for bug bounty and has always been since I learned about the program.
Comment 10 Robert Longson 2012-06-11 03:05:18 PDT
Someone should update the document to match reality then.
Comment 11 Daniel Veditz [:dveditz] 2012-06-11 15:41:31 PDT
(In reply to Robert Longson from comment #10)
> Someone should update the document to match reality then.

The FAQ has always said
http://www.mozilla.org/security/bug-bounty-faq.html#development-releases
Comment 12 Alex Keybl [:akeybl] 2012-07-26 17:03:22 PDT
Fixed by bug 761507, fixed in 15.
Comment 13 Raymond Forbes[:rforbes] 2013-07-19 18:36:57 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.