Closed Bug 798677 (CVE-2012-4215) Opened 8 years ago Closed 8 years ago

Heap-use-after-free in nsPlaintextEditor::FireClipboardEvent


(Core :: DOM: Editor, defect)

Not set



Tracking Status
firefox15 --- wontfix
firefox16 --- wontfix
firefox17 + fixed
firefox18 + fixed
firefox19 + fixed
firefox-esr10 17+ fixed


(Reporter: inferno, Assigned: smaug)


(Keywords: crash, csectype-uaf, sec-critical, Whiteboard: [asan][adv-track-main17+][adv-track-esr17+])


(2 files)

Attached file Testcase
Reproduces on trunk. Need to press Middle Mouse Scroll button to reproduce this.

==22895== ERROR: AddressSanitizer heap-use-after-free on address 0x7f905c63cd87 at pc 0x7f9088a312aa bp 0x7fff42180070 sp 0x7fff42180068
READ of size 1 at 0x7f905c63cd87 thread T0
    #0 0x7f9088a312a9 in nsPlaintextEditor::FireClipboardEvent(int) editor/libeditor/text/nsPlaintextEditor.cpp:1156
    #1 0x7f9088f59036 in nsHTMLEditor::Paste(int) editor/libeditor/html/nsHTMLDataTransfer.cpp:1477
    #2 0x7f9088b5dabf in nsEditorEventListener::MouseClick(nsIDOMEvent*) editor/libeditor/base/nsEditorEventListener.cpp:559
    #3 0x7f90891ec73e in nsHTMLEditorEventListener::MouseClick(nsIDOMEvent*) editor/libeditor/html/nsHTMLEditorEventListener.cpp:244
    #4 0x7f9088b57085 in nsEditorEventListener::HandleEvent(nsIDOMEvent*) editor/libeditor/base/nsEditorEventListener.cpp:316
    #5 0x7f90866aad7b in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) content/events/src/nsEventListenerManager.cpp:869
    #6 0x7f90866ac4f8 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) content/events/src/nsEventListenerManager.cpp:942
    #7 0x7f908684304f in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) content/events/src/nsEventListenerManager.h:143
    #8 0x7f9086832bee in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) content/events/src/nsEventDispatcher.cpp:182
    #9 0x7f90868301ad in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, bool, nsCxPusher*) content/events/src/nsEventDispatcher.cpp:283
    #10 0x7f9086836e79 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) content/events/src/nsEventDispatcher.cpp:629
    #11 0x7f908408f82c in PresShell::HandleEventInternal(nsEvent*, nsEventStatus*) layout/base/nsPresShell.cpp:6437
    #12 0x7f9084090cf1 in PresShell::HandleEventWithTarget(nsEvent*, nsIFrame*, nsIContent*, nsEventStatus*) layout/base/nsPresShell.cpp:6223
    #13 0x7f908671b9b2 in nsEventStateManager::CheckForAndDispatchClick(nsPresContext*, nsMouseEvent*, nsEventStatus*) content/events/src/nsEventStateManager.cpp:4526
    #14 0x7f9086715020 in nsEventStateManager::PostHandleEvent(nsPresContext*, nsEvent*, nsIFrame*, nsEventStatus*) content/events/src/nsEventStateManager.cpp:3282
    #15 0x7f90840900a9 in PresShell::HandleEventInternal(nsEvent*, nsEventStatus*) layout/base/nsPresShell.cpp:6462
    #16 0x7f9084089ea3 in PresShell::HandlePositionedEvent(nsIFrame*, nsGUIEvent*, nsEventStatus*) layout/base/nsPresShell.cpp:6208
    #17 0x7f9084081ed6 in PresShell::HandleEvent(nsIFrame*, nsGUIEvent*, bool, nsEventStatus*) layout/base/nsPresShell.cpp:6007
    #18 0x7f90879f339c in nsViewManager::DispatchEvent(nsGUIEvent*, nsIView*, nsEventStatus*) view/src/nsViewManager.cpp:767
    #19 0x7f90879def37 in nsView::HandleEvent(nsGUIEvent*, bool) view/src/nsView.cpp:1062
    #20 0x7f90879df18d in non-virtual thunk to nsView::HandleEvent(nsGUIEvent*, bool) :?
    #21 0x7f908d14ce0a in nsWindow::DispatchEvent(nsGUIEvent*, nsEventStatus&) widget/gtk2/nsWindow.cpp:458
    #22 0x7f908d1817a5 in nsWindow::OnButtonReleaseEvent(_GtkWidget*, _GdkEventButton*) widget/gtk2/nsWindow.cpp:2772
    #23 0x7f908d197919 in button_release_event_cb(_GtkWidget*, _GdkEventButton*) widget/gtk2/nsWindow.cpp:5270
    #24 0x7f907eafcdd7 in ?? ??:0
0x7f905c63cd87 is located 263 bytes inside of 824-byte region [0x7f905c63cc80,0x7f905c63cfb8)
freed by thread T0 here:
    #0 0x4c3580 in __interceptor_free ??:?
    #1 0x7f909d419406 in moz_free memory/mozalloc/mozalloc.cpp:51
    #2 0x7f9088f964dd in operator delete(void*) ../../../dist/include/mozilla/mozalloc.h:224
    #3 0x7f9088a7e3c4 in nsEditor::Release() editor/libeditor/base/nsEditor.cpp:211
    #4 0x7f9088f9e557 in nsHTMLEditor::Release() editor/libeditor/html/nsHTMLEditor.cpp:203
    #5 0x7f90821c209b in ~nsCOMPtr_base ../../dist/include/nsCOMPtr.h:408
    #6 0x7f9084234a69 in nsCOMPtr<nsIEditor>::~nsCOMPtr() ../../../dist/include/nsCOMPtr.h:447
    #7 0x7f908421d006 in nsCOMPtr<nsIEditor>::~nsCOMPtr() ../../../dist/include/nsCOMPtr.h:447
    #8 0x7f908c546887 in nsEditingSession::TearDownEditorOnWindow(nsIDOMWindow*) editor/composer/src/nsEditingSession.cpp:594
    #9 0x7f90872a579a in nsHTMLDocument::TurnEditingOff() content/html/document/src/nsHTMLDocument.cpp:2588
    #10 0x7f90872a6b95 in nsHTMLDocument::EditingStateChanged() content/html/document/src/nsHTMLDocument.cpp:2637
    #11 0x7f90872cb56c in nsHTMLDocument::MaybeEditingStateChanged() content/html/document/src/nsHTMLDocument.cpp:2342
    #12 0x7f90872cbd1d in nsHTMLDocument::EndUpdate(unsigned int) content/html/document/src/nsHTMLDocument.cpp:2355
    #13 0x7f90844ce1d3 in ~mozAutoDocUpdate content/xul/templates/src/../../../base/src/mozAutoDocUpdate.h:35
    #14 0x7f908449a6d6 in ~mozAutoDocUpdate content/xul/templates/src/../../../base/src/mozAutoDocUpdate.h:33
    #15 0x7f90858d85f6 in nsDocument::ResetToURI(nsIURI*, nsILoadGroup*, nsIPrincipal*) content/base/src/nsDocument.cpp:2143
    #16 0x7f9087297864 in nsHTMLDocument::ResetToURI(nsIURI*, nsILoadGroup*, nsIPrincipal*) content/html/document/src/nsHTMLDocument.cpp:285
    #17 0x7f90858d70fa in nsDocument::Reset(nsIChannel*, nsILoadGroup*) content/base/src/nsDocument.cpp:2081
    #18 0x7f908729737a in nsHTMLDocument::Reset(nsIChannel*, nsILoadGroup*) content/html/document/src/nsHTMLDocument.cpp:272
    #19 0x7f90872b92d0 in nsHTMLDocument::Open(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, JSContext*, unsigned char, nsISupports**) content/html/document/src/nsHTMLDocument.cpp:1525
    #20 0x7f90872bd0d1 in non-virtual thunk to nsHTMLDocument::Open(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, JSContext*, unsigned char, nsISupports**) :?
    #21 0x7f908f9244d3 in NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #22 0x7f908aab6bf8 in CallMethodHelper::Invoke() js/xpconnect/src/XPCWrappedNative.cpp:3108
    #23 0x7f908ab14fe9 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1469
    #24 0x7f909604828f in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:364
    #25 0x7f9095fea1bc in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) js/src/jsinterp.cpp:2461
    #26 0x7f9095f35c1e in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) js/src/jsinterp.cpp:324
    #27 0x7f9096048a80 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:378
    #28 0x7f909589ab84 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) js/src/jsinterp.h:109
    #29 0x7f909604ded0 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/jsinterp.cpp:411
previously allocated by thread T0 here:
    #0 0x4c3640 in malloc ??:?
    #1 0x7f909d41955a in moz_xmalloc memory/mozalloc/mozalloc.cpp:57
    #2 0x7f9083a71abe in operator new(unsigned long) ../../dist/include/mozilla/mozalloc.h:200
    #3 0x7f908f4dd07b in mozilla::GenericFactory::CreateInstance(nsISupports*, nsID const&, void**) objdir-ff-asan-sym/xpcom/build/GenericFactory.cpp:16
    #4 0x7f908f7bb5cc in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) xpcom/components/nsComponentManager.cpp:1006
    #5 0x7f908f466df9 in CallCreateInstance(char const*, nsISupports*, nsID const&, void**) objdir-ff-asan-sym/xpcom/build/nsComponentManagerUtils.cpp:135
    #6 0x7f908f4681cb in nsCreateInstanceByContractID::operator()(nsID const&, void**) const objdir-ff-asan-sym/xpcom/build/nsComponentManagerUtils.cpp:178
    #7 0x7f908f45bb1c in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) objdir-ff-asan-sym/xpcom/build/nsCOMPtr.cpp:110
    #8 0x7f9086a39c6e in nsCOMPtr<nsIEditor>::operator=(nsCOMPtr_helper const&) ../../../dist/include/nsCOMPtr.h:689
    #9 0x7f908c53f554 in nsEditingSession::SetupEditorOnWindow(nsIDOMWindow*) editor/composer/src/nsEditingSession.cpp:423
    #10 0x7f908c536a00 in nsEditingSession::MakeWindowEditable(nsIDOMWindow*, char const*, bool, bool, bool) editor/composer/src/nsEditingSession.cpp:173
    #11 0x7f90872a7d7b in nsHTMLDocument::EditingStateChanged() content/html/document/src/nsHTMLDocument.cpp:2696
    #12 0x7f90872cb56c in nsHTMLDocument::MaybeEditingStateChanged() content/html/document/src/nsHTMLDocument.cpp:2342
    #13 0x7f90872cbd1d in nsHTMLDocument::EndUpdate(unsigned int) content/html/document/src/nsHTMLDocument.cpp:2355
    #14 0x7f9088e0983a in nsHtml5TreeOpExecutor::EndDocUpdate() parser/html/nsHtml5TreeOpExecutor.h:248
    #15 0x7f9088e08e78 in nsHtml5TreeOpExecutor::DidBuildModel(bool) parser/html/nsHtml5TreeOpExecutor.cpp:131
    #16 0x7f9088df6188 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) parser/html/nsHtml5TreeOperation.cpp:639
    #17 0x7f9088e0d435 in nsHtml5TreeOpExecutor::RunFlushLoop() parser/html/nsHtml5TreeOpExecutor.cpp:564
    #18 0x7f9088e49b19 in nsHtml5ExecutorFlusher::Run() parser/html/nsHtml5StreamParser.cpp:127
    #19 0x7f908f811440 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612
    #20 0x7f908f4a22bb in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #21 0x7f908de4d956 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82
    #22 0x7f908faeaab1 in MessageLoop::RunInternal() ipc/chromium/src/base/
    #23 0x7f908faea8e6 in MessageLoop::RunHandler() ipc/chromium/src/base/
    #24 0x7f908faea7cb in MessageLoop::Run() ipc/chromium/src/base/
Shadow byte and word:
  0x1ff20b8c79b0: fd
  0x1ff20b8c79b0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff20b8c7990: fd fd fd fd fd fd fd fd
  0x1ff20b8c7998: fd fd fd fd fd fd fd fd
  0x1ff20b8c79a0: fd fd fd fd fd fd fd fd
  0x1ff20b8c79a8: fd fd fd fd fd fd fd fd
=>0x1ff20b8c79b0: fd fd fd fd fd fd fd fd
  0x1ff20b8c79b8: fd fd fd fd fd fd fd fd
  0x1ff20b8c79c0: fd fd fd fd fd fd fd fd
  0x1ff20b8c79c8: fd fd fd fd fd fd fd fd
  0x1ff20b8c79d0: fd fd fd fd fd fd fd fd
Stats: 250M malloced (292M for red zones) by 500781 calls
Stats: 42M realloced by 23522 calls
Stats: 222M freed by 274938 calls
Stats: 88M really freed by 188351 calls
Stats: 476M (121944 full pages) mmaped in 119 calls
  mmaps   by size class: 8:294894; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:256; 16:1152; 17:1280; 18:128; 19:40; 20:20;
  mallocs by size class: 8:434817; 9:32109; 10:8727; 11:16263; 12:2466; 13:1715; 14:1538; 15:314; 16:1299; 17:1322; 18:151; 19:40; 20:20;
  frees   by size class: 8:225151; 9:23605; 10:5504; 11:13174; 12:1615; 13:1517; 14:1380; 15:265; 16:1236; 17:1305; 18:132; 19:37; 20:17;
  rfrees  by size class: 8:165731; 9:8622; 10:2115; 11:8698; 12:626; 13:552; 14:481; 15:146; 16:1042; 17:308; 18:25; 19:4; 20:1;
Stats: malloc large: 1533 small slow: 2447
==22895== ABORTING
Component: General → Editor
Product: Firefox → Core
Assignee: nobody → bugs
Attached patch patchSplinter Review
[Security approval request comment]
How easily can the security issue be deduced from the patch?
Reasonable easy, IMO. kungFuDeathGrip is always a sign of certain type of crash.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
kungFuDeathGrip is quite a bit higher up in the stack where the crash actually happens,
so it should take some time to see the exact problem.

Which older supported branches are affected by this flaw?

Do you have backports for the affected branches?
Same patch should work everywhere.

How likely is this patch to cause regressions; how much testing does it need?
*very* unlikely to cause any regressions.
Attachment #668774 - Flags: sec-approval?
Attachment #668774 - Flags: review?(ehsan)
Comment on attachment 668774 [details] [diff] [review]

Review of attachment 668774 [details] [diff] [review]:

Attachment #668774 - Flags: review?(ehsan) → review+
Given the position of the added kungFuDeathGrip it seems likely there's a path
leading to a virtual method call on that deleted mEditor, so I'm tentatively
rating this as sec-critical.  Ehsan, Olli, does that seem correct to you?
Severity: normal → critical
Keywords: crash, sec-critical
Whiteboard: [asan]
Sounds right
(In reply to Mats Palmgren [:mats] from comment #3)
> Given the position of the added kungFuDeathGrip it seems likely there's a
> path
> leading to a virtual method call on that deleted mEditor, so I'm tentatively
> rating this as sec-critical.  Ehsan, Olli, does that seem correct to you?

For sec-approval status, we're shipping tomorrow so we can't get this in the current release and kungFuDeathGrip is a big giveaway. Because of that, we'll sit on this for a few weeks (three or so) and will approve the checkin then.
Keywords: csec-uaf
Whiteboard: [asan] → [asan] wait until Oct 21 to land.
Whiteboard: [asan] wait until Oct 21 to land. → [asan]
Comment on attachment 668774 [details] [diff] [review]

Attachment #668774 - Flags: sec-approval? → sec-approval+
Closed: 8 years ago
Resolution: --- → FIXED
Comment on attachment 668774 [details] [diff] [review]

[Approval Request Comment]
User impact if declined: crashes
Fix Landed on Version: FF19
Risk to taking this patch (and alternatives if risky): super safe
String or UUID changes made by this patch: NA
Bug caused by (feature/regressing bug #): old stuff
Attachment #668774 - Flags: approval-mozilla-esr10?
Attachment #668774 - Flags: approval-mozilla-beta?
Attachment #668774 - Flags: approval-mozilla-aurora?
Comment on attachment 668774 [details] [diff] [review]

approving for uplift with the assumption that you'll wait to confirm a green build on m-c before continuing since it's only been 4 hours, but approving now so that these will get in before we go to build with beta 3.
Attachment #668774 - Flags: approval-mozilla-esr10?
Attachment #668774 - Flags: approval-mozilla-esr10+
Attachment #668774 - Flags: approval-mozilla-beta?
Attachment #668774 - Flags: approval-mozilla-beta+
Attachment #668774 - Flags: approval-mozilla-aurora?
Attachment #668774 - Flags: approval-mozilla-aurora+
Whiteboard: [asan] → [asan][adv-track-main17+][adv-track-esr17+]
Keywords: verifyme
Alias: CVE-2012-4215
Flags: sec-bounty?
This bug qualifies for a security bug bounty.
Flags: sec-bounty? → sec-bounty+
Group: core-security
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.