Last Comment Bug 798677 - (CVE-2012-4215) Heap-use-after-free in nsPlaintextEditor::FireClipboardEvent
(CVE-2012-4215)
: Heap-use-after-free in nsPlaintextEditor::FireClipboardEvent
Status: RESOLVED FIXED
[asan][adv-track-main17+][adv-track-e...
: crash, csectype-uaf, sec-critical
Product: Core
Classification: Components
Component: Editor (show other bugs)
: Trunk
: x86_64 All
: -- critical (vote)
: ---
Assigned To: Olli Pettay [:smaug] (high review load, please consider other reviewers)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-05 18:26 PDT by Abhishek Arya
Modified: 2014-07-24 14:37 PDT (History)
8 users (show)
dveditz: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
wontfix
+
fixed
+
fixed
+
fixed
17+
fixed


Attachments
Testcase (425 bytes, text/html)
2012-10-05 18:26 PDT, Abhishek Arya
no flags Details
patch (744 bytes, patch)
2012-10-06 06:37 PDT, Olli Pettay [:smaug] (high review load, please consider other reviewers)
ehsan: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
lukasblakk+bugs: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑esr10+
dveditz: sec‑approval+
Details | Diff | Review

Description Abhishek Arya 2012-10-05 18:26:44 PDT
Created attachment 668704 [details]
Testcase

Reproduces on trunk. Need to press Middle Mouse Scroll button to reproduce this.

=================================================================
==22895== ERROR: AddressSanitizer heap-use-after-free on address 0x7f905c63cd87 at pc 0x7f9088a312aa bp 0x7fff42180070 sp 0x7fff42180068
READ of size 1 at 0x7f905c63cd87 thread T0
    #0 0x7f9088a312a9 in nsPlaintextEditor::FireClipboardEvent(int) editor/libeditor/text/nsPlaintextEditor.cpp:1156
    #1 0x7f9088f59036 in nsHTMLEditor::Paste(int) editor/libeditor/html/nsHTMLDataTransfer.cpp:1477
    #2 0x7f9088b5dabf in nsEditorEventListener::MouseClick(nsIDOMEvent*) editor/libeditor/base/nsEditorEventListener.cpp:559
    #3 0x7f90891ec73e in nsHTMLEditorEventListener::MouseClick(nsIDOMEvent*) editor/libeditor/html/nsHTMLEditorEventListener.cpp:244
    #4 0x7f9088b57085 in nsEditorEventListener::HandleEvent(nsIDOMEvent*) editor/libeditor/base/nsEditorEventListener.cpp:316
    #5 0x7f90866aad7b in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) content/events/src/nsEventListenerManager.cpp:869
    #6 0x7f90866ac4f8 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) content/events/src/nsEventListenerManager.cpp:942
    #7 0x7f908684304f in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) content/events/src/nsEventListenerManager.h:143
    #8 0x7f9086832bee in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) content/events/src/nsEventDispatcher.cpp:182
    #9 0x7f90868301ad in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, bool, nsCxPusher*) content/events/src/nsEventDispatcher.cpp:283
    #10 0x7f9086836e79 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) content/events/src/nsEventDispatcher.cpp:629
    #11 0x7f908408f82c in PresShell::HandleEventInternal(nsEvent*, nsEventStatus*) layout/base/nsPresShell.cpp:6437
    #12 0x7f9084090cf1 in PresShell::HandleEventWithTarget(nsEvent*, nsIFrame*, nsIContent*, nsEventStatus*) layout/base/nsPresShell.cpp:6223
    #13 0x7f908671b9b2 in nsEventStateManager::CheckForAndDispatchClick(nsPresContext*, nsMouseEvent*, nsEventStatus*) content/events/src/nsEventStateManager.cpp:4526
    #14 0x7f9086715020 in nsEventStateManager::PostHandleEvent(nsPresContext*, nsEvent*, nsIFrame*, nsEventStatus*) content/events/src/nsEventStateManager.cpp:3282
    #15 0x7f90840900a9 in PresShell::HandleEventInternal(nsEvent*, nsEventStatus*) layout/base/nsPresShell.cpp:6462
    #16 0x7f9084089ea3 in PresShell::HandlePositionedEvent(nsIFrame*, nsGUIEvent*, nsEventStatus*) layout/base/nsPresShell.cpp:6208
    #17 0x7f9084081ed6 in PresShell::HandleEvent(nsIFrame*, nsGUIEvent*, bool, nsEventStatus*) layout/base/nsPresShell.cpp:6007
    #18 0x7f90879f339c in nsViewManager::DispatchEvent(nsGUIEvent*, nsIView*, nsEventStatus*) view/src/nsViewManager.cpp:767
    #19 0x7f90879def37 in nsView::HandleEvent(nsGUIEvent*, bool) view/src/nsView.cpp:1062
    #20 0x7f90879df18d in non-virtual thunk to nsView::HandleEvent(nsGUIEvent*, bool) :?
    #21 0x7f908d14ce0a in nsWindow::DispatchEvent(nsGUIEvent*, nsEventStatus&) widget/gtk2/nsWindow.cpp:458
    #22 0x7f908d1817a5 in nsWindow::OnButtonReleaseEvent(_GtkWidget*, _GdkEventButton*) widget/gtk2/nsWindow.cpp:2772
    #23 0x7f908d197919 in button_release_event_cb(_GtkWidget*, _GdkEventButton*) widget/gtk2/nsWindow.cpp:5270
    #24 0x7f907eafcdd7 in ?? ??:0
0x7f905c63cd87 is located 263 bytes inside of 824-byte region [0x7f905c63cc80,0x7f905c63cfb8)
freed by thread T0 here:
    #0 0x4c3580 in __interceptor_free ??:?
    #1 0x7f909d419406 in moz_free memory/mozalloc/mozalloc.cpp:51
    #2 0x7f9088f964dd in operator delete(void*) ../../../dist/include/mozilla/mozalloc.h:224
    #3 0x7f9088a7e3c4 in nsEditor::Release() editor/libeditor/base/nsEditor.cpp:211
    #4 0x7f9088f9e557 in nsHTMLEditor::Release() editor/libeditor/html/nsHTMLEditor.cpp:203
    #5 0x7f90821c209b in ~nsCOMPtr_base ../../dist/include/nsCOMPtr.h:408
    #6 0x7f9084234a69 in nsCOMPtr<nsIEditor>::~nsCOMPtr() ../../../dist/include/nsCOMPtr.h:447
    #7 0x7f908421d006 in nsCOMPtr<nsIEditor>::~nsCOMPtr() ../../../dist/include/nsCOMPtr.h:447
    #8 0x7f908c546887 in nsEditingSession::TearDownEditorOnWindow(nsIDOMWindow*) editor/composer/src/nsEditingSession.cpp:594
    #9 0x7f90872a579a in nsHTMLDocument::TurnEditingOff() content/html/document/src/nsHTMLDocument.cpp:2588
    #10 0x7f90872a6b95 in nsHTMLDocument::EditingStateChanged() content/html/document/src/nsHTMLDocument.cpp:2637
    #11 0x7f90872cb56c in nsHTMLDocument::MaybeEditingStateChanged() content/html/document/src/nsHTMLDocument.cpp:2342
    #12 0x7f90872cbd1d in nsHTMLDocument::EndUpdate(unsigned int) content/html/document/src/nsHTMLDocument.cpp:2355
    #13 0x7f90844ce1d3 in ~mozAutoDocUpdate content/xul/templates/src/../../../base/src/mozAutoDocUpdate.h:35
    #14 0x7f908449a6d6 in ~mozAutoDocUpdate content/xul/templates/src/../../../base/src/mozAutoDocUpdate.h:33
    #15 0x7f90858d85f6 in nsDocument::ResetToURI(nsIURI*, nsILoadGroup*, nsIPrincipal*) content/base/src/nsDocument.cpp:2143
    #16 0x7f9087297864 in nsHTMLDocument::ResetToURI(nsIURI*, nsILoadGroup*, nsIPrincipal*) content/html/document/src/nsHTMLDocument.cpp:285
    #17 0x7f90858d70fa in nsDocument::Reset(nsIChannel*, nsILoadGroup*) content/base/src/nsDocument.cpp:2081
    #18 0x7f908729737a in nsHTMLDocument::Reset(nsIChannel*, nsILoadGroup*) content/html/document/src/nsHTMLDocument.cpp:272
    #19 0x7f90872b92d0 in nsHTMLDocument::Open(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, JSContext*, unsigned char, nsISupports**) content/html/document/src/nsHTMLDocument.cpp:1525
    #20 0x7f90872bd0d1 in non-virtual thunk to nsHTMLDocument::Open(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, JSContext*, unsigned char, nsISupports**) :?
    #21 0x7f908f9244d3 in NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #22 0x7f908aab6bf8 in CallMethodHelper::Invoke() js/xpconnect/src/XPCWrappedNative.cpp:3108
    #23 0x7f908ab14fe9 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1469
    #24 0x7f909604828f in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:364
    #25 0x7f9095fea1bc in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) js/src/jsinterp.cpp:2461
    #26 0x7f9095f35c1e in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) js/src/jsinterp.cpp:324
    #27 0x7f9096048a80 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jsinterp.cpp:378
    #28 0x7f909589ab84 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) js/src/jsinterp.h:109
    #29 0x7f909604ded0 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) js/src/jsinterp.cpp:411
previously allocated by thread T0 here:
    #0 0x4c3640 in malloc ??:?
    #1 0x7f909d41955a in moz_xmalloc memory/mozalloc/mozalloc.cpp:57
    #2 0x7f9083a71abe in operator new(unsigned long) ../../dist/include/mozilla/mozalloc.h:200
    #3 0x7f908f4dd07b in mozilla::GenericFactory::CreateInstance(nsISupports*, nsID const&, void**) objdir-ff-asan-sym/xpcom/build/GenericFactory.cpp:16
    #4 0x7f908f7bb5cc in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) xpcom/components/nsComponentManager.cpp:1006
    #5 0x7f908f466df9 in CallCreateInstance(char const*, nsISupports*, nsID const&, void**) objdir-ff-asan-sym/xpcom/build/nsComponentManagerUtils.cpp:135
    #6 0x7f908f4681cb in nsCreateInstanceByContractID::operator()(nsID const&, void**) const objdir-ff-asan-sym/xpcom/build/nsComponentManagerUtils.cpp:178
    #7 0x7f908f45bb1c in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) objdir-ff-asan-sym/xpcom/build/nsCOMPtr.cpp:110
    #8 0x7f9086a39c6e in nsCOMPtr<nsIEditor>::operator=(nsCOMPtr_helper const&) ../../../dist/include/nsCOMPtr.h:689
    #9 0x7f908c53f554 in nsEditingSession::SetupEditorOnWindow(nsIDOMWindow*) editor/composer/src/nsEditingSession.cpp:423
    #10 0x7f908c536a00 in nsEditingSession::MakeWindowEditable(nsIDOMWindow*, char const*, bool, bool, bool) editor/composer/src/nsEditingSession.cpp:173
    #11 0x7f90872a7d7b in nsHTMLDocument::EditingStateChanged() content/html/document/src/nsHTMLDocument.cpp:2696
    #12 0x7f90872cb56c in nsHTMLDocument::MaybeEditingStateChanged() content/html/document/src/nsHTMLDocument.cpp:2342
    #13 0x7f90872cbd1d in nsHTMLDocument::EndUpdate(unsigned int) content/html/document/src/nsHTMLDocument.cpp:2355
    #14 0x7f9088e0983a in nsHtml5TreeOpExecutor::EndDocUpdate() parser/html/nsHtml5TreeOpExecutor.h:248
    #15 0x7f9088e08e78 in nsHtml5TreeOpExecutor::DidBuildModel(bool) parser/html/nsHtml5TreeOpExecutor.cpp:131
    #16 0x7f9088df6188 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) parser/html/nsHtml5TreeOperation.cpp:639
    #17 0x7f9088e0d435 in nsHtml5TreeOpExecutor::RunFlushLoop() parser/html/nsHtml5TreeOpExecutor.cpp:564
    #18 0x7f9088e49b19 in nsHtml5ExecutorFlusher::Run() parser/html/nsHtml5StreamParser.cpp:127
    #19 0x7f908f811440 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612
    #20 0x7f908f4a22bb in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #21 0x7f908de4d956 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82
    #22 0x7f908faeaab1 in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:208
    #23 0x7f908faea8e6 in MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:201
    #24 0x7f908faea7cb in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:175
Shadow byte and word:
  0x1ff20b8c79b0: fd
  0x1ff20b8c79b0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff20b8c7990: fd fd fd fd fd fd fd fd
  0x1ff20b8c7998: fd fd fd fd fd fd fd fd
  0x1ff20b8c79a0: fd fd fd fd fd fd fd fd
  0x1ff20b8c79a8: fd fd fd fd fd fd fd fd
=>0x1ff20b8c79b0: fd fd fd fd fd fd fd fd
  0x1ff20b8c79b8: fd fd fd fd fd fd fd fd
  0x1ff20b8c79c0: fd fd fd fd fd fd fd fd
  0x1ff20b8c79c8: fd fd fd fd fd fd fd fd
  0x1ff20b8c79d0: fd fd fd fd fd fd fd fd
Stats: 250M malloced (292M for red zones) by 500781 calls
Stats: 42M realloced by 23522 calls
Stats: 222M freed by 274938 calls
Stats: 88M really freed by 188351 calls
Stats: 476M (121944 full pages) mmaped in 119 calls
  mmaps   by size class: 8:294894; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:256; 16:1152; 17:1280; 18:128; 19:40; 20:20;
  mallocs by size class: 8:434817; 9:32109; 10:8727; 11:16263; 12:2466; 13:1715; 14:1538; 15:314; 16:1299; 17:1322; 18:151; 19:40; 20:20;
  frees   by size class: 8:225151; 9:23605; 10:5504; 11:13174; 12:1615; 13:1517; 14:1380; 15:265; 16:1236; 17:1305; 18:132; 19:37; 20:17;
  rfrees  by size class: 8:165731; 9:8622; 10:2115; 11:8698; 12:626; 13:552; 14:481; 15:146; 16:1042; 17:308; 18:25; 19:4; 20:1;
Stats: malloc large: 1533 small slow: 2447
==22895== ABORTING
Comment 1 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2012-10-06 06:37:41 PDT
Created attachment 668774 [details] [diff] [review]
patch

[Security approval request comment]
How easily can the security issue be deduced from the patch?
Reasonable easy, IMO. kungFuDeathGrip is always a sign of certain type of crash.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
kungFuDeathGrip is quite a bit higher up in the stack where the crash actually happens,
so it should take some time to see the exact problem.

Which older supported branches are affected by this flaw?
all

Do you have backports for the affected branches?
Same patch should work everywhere.

How likely is this patch to cause regressions; how much testing does it need?
*very* unlikely to cause any regressions.
Comment 2 :Ehsan Akhgari (out sick) 2012-10-06 07:36:06 PDT
Comment on attachment 668774 [details] [diff] [review]
patch

Review of attachment 668774 [details] [diff] [review]:
-----------------------------------------------------------------

r=me
Comment 3 Mats Palmgren (:mats) 2012-10-06 19:24:45 PDT
Given the position of the added kungFuDeathGrip it seems likely there's a path
leading to a virtual method call on that deleted mEditor, so I'm tentatively
rating this as sec-critical.  Ehsan, Olli, does that seem correct to you?
Comment 4 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2012-10-07 04:02:08 PDT
Sounds right
Comment 5 :Ehsan Akhgari (out sick) 2012-10-07 14:34:31 PDT
(In reply to Mats Palmgren [:mats] from comment #3)
> Given the position of the added kungFuDeathGrip it seems likely there's a
> path
> leading to a virtual method call on that deleted mEditor, so I'm tentatively
> rating this as sec-critical.  Ehsan, Olli, does that seem correct to you?

Yes.
Comment 6 Al Billings [:abillings] 2012-10-08 10:38:28 PDT
For sec-approval status, we're shipping tomorrow so we can't get this in the current release and kungFuDeathGrip is a big giveaway. Because of that, we'll sit on this for a few weeks (three or so) and will approve the checkin then.
Comment 7 Daniel Veditz [:dveditz] 2012-10-21 00:37:26 PDT
Comment on attachment 668774 [details] [diff] [review]
patch

sec-approval+
Comment 8 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2012-10-21 05:38:45 PDT
https://hg.mozilla.org/mozilla-central/rev/1c3e4cb1f754
Comment 9 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2012-10-21 05:39:48 PDT
Comment on attachment 668774 [details] [diff] [review]
patch

[Approval Request Comment]
User impact if declined: crashes
Fix Landed on Version: FF19
Risk to taking this patch (and alternatives if risky): super safe
String or UUID changes made by this patch: NA
Bug caused by (feature/regressing bug #): old stuff
Comment 10 Lukas Blakk [:lsblakk] use ?needinfo 2012-10-21 10:05:10 PDT
Comment on attachment 668774 [details] [diff] [review]
patch

approving for uplift with the assumption that you'll wait to confirm a green build on m-c before continuing since it's only been 4 hours, but approving now so that these will get in before we go to build with beta 3.
Comment 12 Daniel Veditz [:dveditz] 2012-11-19 15:25:34 PST
This bug qualifies for a security bug bounty.
Comment 14 Tracy Walker [:tracy] 2014-01-10 10:42:43 PST
mass remove verifyme requests greater than 4 months old

Note You need to log in before you can comment on or make changes to this bug.