Closed
Bug 778603
(CVE-2012-4204)
Opened 12 years ago
Closed 12 years ago
Out of bounds read in str_unescape
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla17
| Tracking | Status | |
|---|---|---|
| firefox14 | --- | affected |
| firefox15 | --- | affected |
| firefox16 | --- | affected |
| firefox17 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: scott.bell, Assigned: luke)
References
Details
(4 keywords, Whiteboard: [adv-track-main17+])
Attachments
(6 files)
I ran into this issue while fuzzing. ASAN reports this as a heap overflow. I wasn't able to symbolize the ASAN output for some unknown reason. However, I see it crashing at strange locations on different runs on optimized builds. In debug builds, it hits this assertion and crashes @ NULL: Assertion failure: mLength + 1 <= mReserved, at ./../../dist/include/js/Vector.h:788 Windbg references this code: mozjs!str_unescape+0x23e [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\js\src\jsstr.cpp @ 352] I have attached some logs from both debug and optimized builds.
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
|
|
Reporter | |
Comment 3•12 years ago
|
||
|
|
Reporter | |
Comment 4•12 years ago
|
||
|
|
Reporter | |
Comment 5•12 years ago
|
||
|
||
Updated•12 years ago
|
Assignee: nobody → general
Component: Untriaged → JavaScript Engine
Keywords: sec-high
Product: Firefox → Core
Summary: Crash @ mozjs!str_unescape+0x23e → Crash in str_unescape
|
Assignee | |
Comment 6•12 years ago
|
||
Thanks for reporting! The test-case reproduces in the shell. A debug build asserts early reporting a call to infallibleAppend that has not reserved enough space. Bug 708873 seems to be at fault; unfortunately the author is gone and the reviewer is on vacation. I guess I'll look at it. (cc'ing Jesse for fuzzer fodder.)
|
|
Assignee | |
Comment 7•12 years ago
|
||
Oh my, the bug is much simpler than that: there is an unsigned underflow in the expression (k > length - 6) when length < 6.
|
||
Updated•12 years ago
|
Attachment #648015 -
Flags: review?(dmandelin) → review+
|
|
Assignee | |
Comment 8•12 years ago
|
||
Reduced testcase:
unescape("0%u0000".substr(0,2))
Unfortunately, bug 708873 went out with FF11.
status-firefox14:
--- → affected
status-firefox15:
--- → affected
status-firefox16:
--- → affected
status-firefox17:
--- → affected
|
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
|
||
Comment 9•12 years ago
|
||
Per luke's request, I landed this fix on m-c inside an inbound merge commit rather than with its own changeset. You can confirm that the fix is present there. https://hg.mozilla.org/mozilla-central/rev/61d7f15ea6a7
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
|
|
||
Updated•12 years ago
|
|
||
Updated•12 years ago
|
Whiteboard: [adv-track-main17+]
|
|
||
Updated•12 years ago
|
Alias: CVE-2012-4204
|
|
||
Updated•12 years ago
|
Flags: sec-bounty?
|
||
Comment 10•12 years ago
|
||
This bug was marked sec-high early before we understood the nature of the vulnerability. Understanding what the bug is now (out of bounds read), is that still appropriate? Will any part of this code write into an area assuming there's enough space because of the bogus length or it is only the read path that goes wrong?
Flags: needinfo?(luke)
Keywords: regression
|
|
Assignee | |
Comment 11•12 years ago
|
||
IIRC, there was the possibility of writing past the end of the buffer (infallibleAppend is being used), so this sec-high sounds appropriate.
Flags: needinfo?(luke)
|
|
||
Updated•12 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•12 years ago
|
Group: core-security
|
|
||
Updated•11 years ago
|
Keywords: crash
Summary: Crash in str_unescape → Out of bounds read in str_unescape
|
||
Updated•1 month ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•