Note: There are a few cases of duplicates in user autocompletion which are being worked on.
Bug 772346 (CVE-2012-3958)

Heap-use-after-free in nsHTMLEditRules::DeleteNonTableElements

RESOLVED FIXED in Firefox 15

Status

()

Core
Editor
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: Abhishek Arya, Assigned: Ehsan)

Tracking

({csectype-uaf, regression, sec-critical})

Trunk
mozilla16
x86_64
All
csectype-uaf, regression, sec-critical
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox14 unaffected, firefox15+ fixed, firefox16+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [asan][fixed by bug 775552 for Firefox 15][advisory-tracking+])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Reproduces on trunk. My repro is ugly but reproduces reliably on my local machine. I will attach something here once i get a better minimized repro. 

I debugged and didnt see a reason to wait for filing. Some of the stack frames are missing b/w #0 and #1 since this is an optimized build. But GetPreviousSibling() in #0 [see nsHTMLEditRules::DeleteNonTableElements] tells that the stale child is being accessed. It looks like raw ptr issue probably coming from http://hg.mozilla.org/mozilla-central/diff/270ac87cffba/editor/libeditor/html/nsHTMLEditRules.cpp#l1.85. When i changed to nsCOMPtr and recompiled, crash stopped.

=================================================================
==19766== ERROR: AddressSanitizer heap-use-after-free on address 0x7fc1cdd689b8 at pc 0x7fc20556baa8 bp 0x7fff36485200 sp 0x7fff364851f8
READ of size 8 at 0x7fc1cdd689b8 thread T0
    #0 0x7fc20556baa8 in nsINode::GetPreviousSibling() const firefox/src/modules/zlib/src/inffast.c:0
    #1 0x7fc2062f5dc0 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:577
    #2 0x7fc20618d040 in nsPlaintextEditor::DeleteSelection(short, short) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:657
    #3 0x7fc2062f6468 in nsHTMLEditRules::WillInsertText(nsEditor::OperationID, mozilla::Selection*, bool*, bool*, nsAString_internal const*, nsAString_internal*, int) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:1260
    #4 0x7fc2062f5ca3 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:570
    #5 0x7fc20618d5ec in nsPlaintextEditor::InsertText(nsAString_internal const&) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:700
    #6 0x7fc2061c3c67 in nsInsertPlaintextCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/editor/libeditor/base/nsEditorCommands.cpp:834
    #7 0x7fc2069858a9 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:175
    #8 0x7fc20697ec11 in nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) firefox/src/embedding/components/commandhandler/src/nsBaseCommandController.cpp:153
    #9 0x7fc2069824f7 in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) firefox/src/embedding/components/commandhandler/src/nsCommandManager.cpp:238
    #10 0x7fc205de5469 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, bool*) firefox/src/content/html/document/src/nsHTMLDocument.cpp:3218
    #11 0x7fc20721b125 in NS_InvokeByIndex_P firefox/src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:164
    #12 0x7fc2066bdce8 in CallMethodHelper::Invoke() firefox/src/js/xpconnect/src/XPCWrappedNative.cpp:3071
    #13 0x7fc2066cbfee in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) firefox/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474
    #14 0x7fc207b2807f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) firefox/src/js/src/jscntxtinlines.h:400
    #15 0x7fc207b1de9e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/src/js/src/jsinterp.cpp:2465
    #16 0x7fc207b09315 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/src/js/src/jsinterp.cpp:299
    #17 0x7fc207b29467 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/src/js/src/jsinterp.cpp:482
    #18 0x7fc207b297f1 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/src/js/src/jsinterp.cpp:519
    #19 0x7fc207a3a713 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/src/js/src/jsapi.cpp:5370
    #20 0x7fc207a3a9d9 in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/src/js/src/jsapi.cpp:5407
    #21 0x7fc205f23907 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) firefox/src/dom/base/nsJSEnvironment.cpp:1466
    #22 0x7fc205f7eece in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) firefox/src/dom/base/nsGlobalWindow.cpp:9519
    #23 0x7fc205f6e285 in nsGlobalWindow::RunTimeout(nsTimeout*) firefox/src/dom/base/nsGlobalWindow.cpp:9783
    #24 0x7fc205f7e378 in nsGlobalWindow::TimerCallback(nsITimer*, void*) firefox/src/dom/base/nsGlobalWindow.cpp:10055
    #25 0x7fc2071f9094 in nsTimerImpl::Fire() firefox/src/xpcom/threads/nsTimerImpl.cpp:473
    #26 0x7fc2071f95e6 in nsTimerEvent::Run() firefox/src/xpcom/threads/nsTimerImpl.cpp:559
    #27 0x7fc2071ef654 in nsThread::ProcessNextEvent(bool, bool*) firefox/src/xpcom/threads/nsThread.cpp:624
    #28 0x7fc20716061d in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:217
    #29 0x7fc206f5fd48 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/src/ipc/glue/MessagePump.cpp:82
    #30 0x7fc20726091f in MessageLoop::Run() firefox/src/ipc/chromium/src/base/message_loop.cc:176
    #31 0x7fc206d6f73e in nsBaseAppShell::Run() firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:165
    #32 0x7fc205171943 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/src/toolkit/xre/nsAppRunner.cpp:3864
    #33 0x7fc205172272 in XRE_main firefox/src/toolkit/xre/nsAppRunner.cpp:3940
    #34 0x409e93 in do_main(int, char**) firefox/src/browser/app/nsBrowserApp.cpp:160
    #35 0x40957d in main firefox/src/browser/app/nsBrowserApp.cpp:330
    #36 0x7fc20c9a2c4d in ?? ??:0
0x7fc1cdd689b8 is located 56 bytes inside of 120-byte region [0x7fc1cdd68980,0x7fc1cdd689f8)
freed by thread T0 here:
    #0 0x425a42 in free ??:0
    #1 0x7fc205b17a9b in nsNodeUtils::LastRelease(nsINode*) firefox/src/content/base/src/nsNodeUtils.cpp:252
    #2 0x7fc205ad86df in nsGenericDOMDataNode::Release() firefox/src/content/base/src/nsGenericDOMDataNode.cpp:113
    #3 0x7fc2063169ad in nsHTMLEditRules::DeleteNonTableElements(nsINode*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:2824
    #4 0x7fc2062f5dc0 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:577
    #5 0x7fc20618d040 in nsPlaintextEditor::DeleteSelection(short, short) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:657
    #6 0x7fc2062f6468 in nsHTMLEditRules::WillInsertText(nsEditor::OperationID, mozilla::Selection*, bool*, bool*, nsAString_internal const*, nsAString_internal*, int) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:1260
    #7 0x7fc2062f5ca3 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:570
    #8 0x7fc20618d5ec in nsPlaintextEditor::InsertText(nsAString_internal const&) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:700
    #9 0x7fc2061c3c67 in nsInsertPlaintextCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/editor/libeditor/base/nsEditorCommands.cpp:834
    #10 0x7fc2069858a9 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:175
    #11 0x7fc20697ec11 in nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) firefox/src/embedding/components/commandhandler/src/nsBaseCommandController.cpp:153
    #12 0x7fc2069824f7 in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) firefox/src/embedding/components/commandhandler/src/nsCommandManager.cpp:238
    #13 0x7fc205de5469 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, bool*) firefox/src/content/html/document/src/nsHTMLDocument.cpp:3218
    #14 0x7fc20721b125 in NS_InvokeByIndex_P firefox/src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:164
    #15 0x7fc2066bdce8 in CallMethodHelper::Invoke() firefox/src/js/xpconnect/src/XPCWrappedNative.cpp:3071
    #16 0x7fc2066cbfee in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) firefox/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474
    #17 0x7fc207b2807f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) firefox/src/js/src/jscntxtinlines.h:400
    #18 0x7fc207b1de9e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/src/js/src/jsinterp.cpp:2465
    #19 0x7fc207b09315 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/src/js/src/jsinterp.cpp:299
    #20 0x7fc207b29467 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/src/js/src/jsinterp.cpp:482
    #21 0x7fc207b297f1 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/src/js/src/jsinterp.cpp:519
    #22 0x7fc207a3a713 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/src/js/src/jsapi.cpp:5370
    #23 0x7fc207a3a9d9 in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/src/js/src/jsapi.cpp:5407
    #24 0x7fc205f23907 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) firefox/src/dom/base/nsJSEnvironment.cpp:1466
    #25 0x7fc205f7eece in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) firefox/src/dom/base/nsGlobalWindow.cpp:9519
    #26 0x7fc205f6e285 in nsGlobalWindow::RunTimeout(nsTimeout*) firefox/src/dom/base/nsGlobalWindow.cpp:9783
    #27 0x7fc205f7e378 in nsGlobalWindow::TimerCallback(nsITimer*, void*) firefox/src/dom/base/nsGlobalWindow.cpp:10055
    #28 0x7fc2071f9094 in nsTimerImpl::Fire() firefox/src/xpcom/threads/nsTimerImpl.cpp:473
    #29 0x7fc2071f95e6 in nsTimerEvent::Run() firefox/src/xpcom/threads/nsTimerImpl.cpp:559
previously allocated by thread T0 here:
    #0 0x425b02 in __interceptor_malloc ??:0
    #1 0x7fc209fd13f0 in moz_xmalloc firefox/src/memory/mozalloc/mozalloc.cpp:54
    #2 0x7fc205a3f31d in nsContentUtils::SetNodeTextContent(nsIContent*, nsAString_internal const&, bool) firefox/src/content/base/src/nsContentUtils.cpp:4310
    #3 0x7fc20677c151 in nsIDOMNode_SetTextContent(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::Value*) firefox/src/objdir-ff-asan/js/xpconnect/src/dom_quickstubs.cpp:5665
    #4 0x7fc207b64928 in js::CallJSPropertyOpSetter(JSContext*, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::Value*), JS::Handle<JSObject*>, JS::Handle<long>, int, JS::Value*) firefox/src/js/src/jscntxtinlines.h:460
    #5 0x7fc207b695f1 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::Value*, int) firefox/src/js/src/jsobj.cpp:4924
    #6 0x7fc207b2d620 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Value const&, JS::Value const&) firefox/src/js/src/jsinterpinlines.h:353
    #7 0x7fc207b0bbb8 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/src/js/src/jsinterp.cpp:2378
    #8 0x7fc207b09315 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/src/js/src/jsinterp.cpp:299
    #9 0x7fc207b29467 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/src/js/src/jsinterp.cpp:482
    #10 0x7fc207b297f1 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/src/js/src/jsinterp.cpp:519
    #11 0x7fc207a3a713 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/src/js/src/jsapi.cpp:5370
    #12 0x7fc207a3a9d9 in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/src/js/src/jsapi.cpp:5407
    #13 0x7fc205f23907 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) firefox/src/dom/base/nsJSEnvironment.cpp:1466
    #14 0x7fc205f7eece in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) firefox/src/dom/base/nsGlobalWindow.cpp:9519
    #15 0x7fc205f6e285 in nsGlobalWindow::RunTimeout(nsTimeout*) firefox/src/dom/base/nsGlobalWindow.cpp:9783
    #16 0x7fc205f7e378 in nsGlobalWindow::TimerCallback(nsITimer*, void*) firefox/src/dom/base/nsGlobalWindow.cpp:10055
    #17 0x7fc2071f9094 in nsTimerImpl::Fire() firefox/src/xpcom/threads/nsTimerImpl.cpp:473
    #18 0x7fc2071f95e6 in nsTimerEvent::Run() firefox/src/xpcom/threads/nsTimerImpl.cpp:559
    #19 0x7fc2071ef654 in nsThread::ProcessNextEvent(bool, bool*) firefox/src/xpcom/threads/nsThread.cpp:624
    #20 0x7fc20716061d in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:217
    #21 0x7fc206f5fd48 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/src/ipc/glue/MessagePump.cpp:82
    #22 0x7fc20726091f in MessageLoop::Run() firefox/src/ipc/chromium/src/base/message_loop.cc:176
    #23 0x7fc206d6f73e in nsBaseAppShell::Run() firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:165
    #24 0x7fc205171943 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/src/toolkit/xre/nsAppRunner.cpp:3864
==19766== ABORTING
Stats: 254M malloced (344M for red zones) by 1006225 calls
Stats: 61M realloced by 90383 calls
Stats: 199M freed by 740263 calls
Stats: 96M really freed by 201732 calls
Stats: 528M (135231 full pages) mmaped in 132 calls
  mmaps   by size class: 8:704469; 9:81910; 10:24570; 11:20470; 12:5120; 13:4608; 14:1792; 15:512; 16:640; 17:160; 18:208; 19:48; 20:16;
  mallocs by size class: 8:829738; 9:109453; 10:28229; 11:24936; 12:5172; 13:4924; 14:2120; 15:516; 16:683; 17:171; 18:222; 19:45; 20:16;
  frees   by size class: 8:588569; 9:95710; 10:23943; 11:20926; 12:3996; 13:3894; 14:1904; 15:444; 16:595; 17:151; 18:78; 19:40; 20:13;
  rfrees  by size class: 8:144710; 9:31877; 10:10454; 11:10832; 12:1184; 13:698; 14:1154; 15:224; 16:419; 17:82; 18:51; 19:37; 20:10;
Stats: malloc large: 454 small slow: 3904
Shadow byte and word:
  0x1ff839bad137: fd
  0x1ff839bad130: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff839bad110: 00 00 00 fb fb fb fb fb
  0x1ff839bad118: fb fb fb fb fb fb fb fb
  0x1ff839bad120: fa fa fa fa fa fa fa fa
  0x1ff839bad128: fa fa fa fa fa fa fa fa
=>0x1ff839bad130: fd fd fd fd fd fd fd fd
  0x1ff839bad138: fd fd fd fd fd fd fd fd
  0x1ff839bad140: fa fa fa fa fa fa fa fa
  0x1ff839bad148: fa fa fa fa fa fa fa fa
  0x1ff839bad150: fd fd fd fd fd fd fd fd
(Reporter)

Updated

5 years ago
Whiteboard: [asan]

Comment 1

5 years ago
Yet another regression to not-follow-xpcom rules?
Created attachment 640732 [details] [diff] [review]
Patch (v1)
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #640732 - Flags: review?(roc)
Attachment #640732 - Flags: review?(roc) → review+
Component: General → Editor
Product: Firefox → Core
https://hg.mozilla.org/integration/mozilla-inbound/rev/32b6c83aeac5
Target Milestone: --- → mozilla16
(Reporter)

Comment 4

5 years ago
Looks like this needs to be marked Resolved :)
mozilla-inbound is our integrtion branch which gets merged to mozilla-central a few times a day.  We usually mark bugs as fixed when the patch lands on mozilla-central.  This should probably happen some time tomorrow for this bug.  :-)
(Reporter)

Comment 6

5 years ago
GReat! good to know ....:)

Comment 7

5 years ago
And voilà! :-)

https://hg.mozilla.org/mozilla-central/rev/32b6c83aeac5
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
status-firefox16: --- → fixed
Resolution: --- → FIXED
This code is probably wrong anyway, for the same reason as in bug 767684.  It now says

  for (nsCOMPtr<nsIContent> child = aNode->GetLastChild();
       child;
       child = child->GetPreviousSibling()) {
    nsresult rv = DeleteNonTableElements(child);
    NS_ENSURE_SUCCESS(rv, rv);
  }

But DeleteNonTableElements(child) might remove child, so GetPreviousSibling will incorrectly return null.  Changing it back to the way it was should both fix the use-after-free and make it correctly affect all children:

  for (PRInt32 i = aNode->GetChildCount() - 1; i >= 0; --i) {
    nsresult rv = DeleteNonTableElements(aNode->GetChildAt(i));
    NS_ENSURE_SUCCESS(rv, rv);
  }

Anyway, this is likely a regression from bug 755264, and probably affects 15.  I can't tell, because there's no test-case here (ugly or otherwise).  Do we want to backport this?
Blocks: 755264
tracking-firefox15: --- → ?
(In reply to :Aryeh Gregor from comment #8)
> This code is probably wrong anyway, for the same reason as in bug 767684. 
> It now says
> 
>   for (nsCOMPtr<nsIContent> child = aNode->GetLastChild();
>        child;
>        child = child->GetPreviousSibling()) {
>     nsresult rv = DeleteNonTableElements(child);
>     NS_ENSURE_SUCCESS(rv, rv);
>   }
> 
> But DeleteNonTableElements(child) might remove child, so GetPreviousSibling
> will incorrectly return null.  Changing it back to the way it was should
> both fix the use-after-free and make it correctly affect all children:
> 
>   for (PRInt32 i = aNode->GetChildCount() - 1; i >= 0; --i) {
>     nsresult rv = DeleteNonTableElements(aNode->GetChildAt(i));
>     NS_ENSURE_SUCCESS(rv, rv);
>   }
> 
> Anyway, this is likely a regression from bug 755264, and probably affects
> 15.  I can't tell, because there's no test-case here (ugly or otherwise). 
> Do we want to backport this?

Good point.  For Aurora, I'd rather us back out bug 755264.  Can you please attach a patch for that?  Thanks!

Updated

5 years ago
status-firefox15: --- → affected
tracking-firefox15: ? → +
tracking-firefox16: --- → +
Keywords: regression
(In reply to Ehsan Akhgari [:ehsan] from comment #9)
> Good point.  For Aurora, I'd rather us back out bug 755264.  Can you please
> attach a patch for that?  Thanks!

Sure.  FWIW, this extra bug was fixed by bug 772332 part 1, which is on m-i and may or may not make it to Aurora.
(In reply to :Aryeh Gregor from comment #10)
> (In reply to Ehsan Akhgari [:ehsan] from comment #9)
> > Good point.  For Aurora, I'd rather us back out bug 755264.  Can you please
> > attach a patch for that?  Thanks!
> 
> Sure.  FWIW, this extra bug was fixed by bug 772332 part 1, which is on m-i
> and may or may not make it to Aurora.

It didn't, as it got backed out!
Filed bug 775552.  The patch no longer backs out cleanly.
status-firefox-esr10: --- → unaffected
status-firefox14: --- → unaffected
Keywords: sec-critical
(In reply to :Aryeh Gregor from comment #12)
> Filed bug 775552.  The patch no longer backs out cleanly.

Is there more work to be done here to resolve for FF15? I think bug 775552 just set us up to apply cleanly, correct?
(In reply to Alex Keybl [:akeybl] from comment #13)
> (In reply to :Aryeh Gregor from comment #12)
> > Filed bug 775552.  The patch no longer backs out cleanly.
> 
> Is there more work to be done here to resolve for FF15? I think bug 775552
> just set us up to apply cleanly, correct?

Hmm, I think we need the patch in bug 775552 to land on beta as well.  I'll nominate it right now.
Comment on attachment 640732 [details] [diff] [review]
Patch (v1)

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 755264
User impact if declined: sec-critical
Testing completed (on m-c, etc.): has baked on Nightly and Aurora
Risk to taking this patch (and alternatives if risky): this has very minimal risk
String or UUID changes made by this patch: none
Attachment #640732 - Flags: approval-mozilla-beta?
Comment on attachment 640732 [details] [diff] [review]
Patch (v1)

Low risk, approving for beta.
Attachment #640732 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
I was about to land this and I realized that this has been fixed on beta by bug 775552 landing there.  So I'm going to mark this as such.
status-firefox15: affected → fixed
Depends on: 775552
Whiteboard: [asan] → [asan][fixed by bug 775552 for Firefox 15]
Whiteboard: [asan][fixed by bug 775552 for Firefox 15] → [asan][fixed by bug 775552 for Firefox 15][advisory-tracking+]
Alias: CVE-2012-3958
Group: core-security
Keywords: csec-uaf
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.