Bug 801330 (CVE-2013-0779)

out-of-bounds-read in nsCodingStateMachine::NextState

RESOLVED FIXED in Firefox 19

Status

()

Core
Internationalization
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: Abhishek Arya, Assigned: mats)

Tracking

({csectype-bounds, sec-low})

Trunk
mozilla19
x86_64
All
csectype-bounds, sec-low
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox19 fixed, firefox-esr10 wontfix, firefox-esr17 wontfix, b2g18 wontfix)

Details

(Whiteboard: [asan][adv-main19+])

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 671125 [details]
Testcase

Reproduces on trunk. Open the testcase and change character encoding View->Character Encoding->Auto-Detect->East Asian.

=================================================================
==32448== ERROR: AddressSanitizer global-buffer-overflow on address 0x7f2050d63e60 at pc 0x7f204271648c bp 0x7f20125fbfb0 sp 0x7f20125fbfa8
READ of size 4 at 0x7f2050d63e60 thread T27
    #0 0x7f204271648b in nsCodingStateMachine::NextState(char) extensions/universalchardet/src/base/nsCodingStateMachine.h:37
    #1 0x7f2042720237 in nsEscCharSetProber::HandleData(char const*, unsigned int) extensions/universalchardet/src/base/nsEscCharsetProber.cpp:56
    #2 0x7f204273c9be in nsUniversalDetector::HandleData(char const*, unsigned int) extensions/universalchardet/src/base/nsUniversalDetector.cpp:169
    #3 0x7f20427060b6 in nsXPCOMDetector::DoIt(char const*, unsigned int, bool*) extensions/universalchardet/src/xpcom/nsUdetXPCOMWrapper.cpp:57
    #4 0x7f204270663c in non-virtual thunk to nsXPCOMDetector::DoIt(char const*, unsigned int, bool*) :?
    #5 0x7f203e90c6ed in nsHtml5StreamParser::FinalizeSniffing(unsigned char const*, unsigned int, unsigned int*, unsigned int) parser/html/nsHtml5StreamParser.cpp:584
    #6 0x7f203e916118 in nsHtml5StreamParser::DoStopRequest() parser/html/nsHtml5StreamParser.cpp:1001
    #7 0x7f203e9257a1 in nsHtml5RequestStopper::Run() parser/html/nsHtml5StreamParser.cpp:1027
    #8 0x7f204530f4f0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612
    #9 0x7f2044fa036b in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #10 0x7f204530732e in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:256
    #11 0x7f20563eed16 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:156
    #12 0x4c627a in __asan::AsanThread::ThreadStart() ??:?
0x7f2050d63e60 is located 0 bytes to the right of global variable 'ISO2022JPCharLenTable (extensions/universalchardet/src/base/nsEscSM.cpp)' (0x7f2050d63e40) of size 32
  'ISO2022JPCharLenTable (extensions/universalchardet/src/base/nsEscSM.cpp)' is ascii string ''
Shadow byte and word:
  0x1fe40a1ac7cc: f9
  0x1fe40a1ac7c8: 00 00 00 00 f9 f9 f9 f9
More shadow bytes:
  0x1fe40a1ac7a8: 00 00 00 00 00 00 00 00
  0x1fe40a1ac7b0: 00 00 00 00 f9 f9 f9 f9
  0x1fe40a1ac7b8: 00 00 00 00 00 00 00 00
  0x1fe40a1ac7c0: 04 f9 f9 f9 f9 f9 f9 f9
=>0x1fe40a1ac7c8: 00 00 00 00 f9 f9 f9 f9
  0x1fe40a1ac7d0: 00 00 00 00 00 04 f9 f9
  0x1fe40a1ac7d8: f9 f9 f9 f9 00 00 00 00
  0x1fe40a1ac7e0: 00 00 00 00 00 00 00 00
  0x1fe40a1ac7e8: 00 00 00 00 f9 f9 f9 f9
Thread T27 created by T0 here:
    #0 0x4bf8e4 in __interceptor_pthread_create ??:?
    #1 0x7f20563dff8f in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:393
    #2 0x7f20563ddd3c in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:476
    #3 0x7f204530a3ee in nsThread::Init() xpcom/threads/nsThread.cpp:322
    #4 0x7f20453213ca in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:215
    #5 0x7f2044f9d7fb in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:49
    #6 0x7f203e8b22db in tag_nsresult NS_NewNamedThread_P<13ul>(char const (&) [13ul], nsIThread**, nsIRunnable*, unsigned int) ../../dist/include/nsThreadUtils.h:88
    #7 0x7f203e8b1c49 in nsHtml5Module::GetStreamParserThread() parser/html/nsHtml5Module.cpp:118
    #8 0x7f203e8ff98f in nsHtml5StreamParser parser/html/nsHtml5StreamParser.cpp:164
    #9 0x7f203e6ddc66 in nsHtml5Parser::MarkAsNotScriptCreated(char const*) parser/html/nsHtml5Parser.cpp:575
    #10 0x7f203cd70640 in nsHTMLDocument::StartDocumentLoad(char const*, nsIChannel*, nsILoadGroup*, nsISupports*, nsIStreamListener**, bool, nsIContentSink*) content/html/document/src/nsHTMLDocument.cpp:629
    #11 0x7f203954f60e in nsContentDLF::CreateDocument(char const*, nsIChannel*, nsILoadGroup*, nsISupports*, nsID const&, nsIStreamListener**, nsIContentViewer**) layout/build/nsContentDLF.cpp:413
    #12 0x7f203954c3c2 in nsContentDLF::CreateInstance(char const*, nsIChannel*, nsILoadGroup*, char const*, nsISupports*, nsISupports*, nsIStreamListener**, nsIContentViewer**) layout/build/nsContentDLF.cpp:207
    #13 0x7f20414a2b17 in nsDocShell::NewContentViewerObj(char const*, nsIRequest*, nsILoadGroup*, nsIStreamListener**, nsIContentViewer**) docshell/base/nsDocShell.cpp:7927
    #14 0x7f204149ad82 in nsDocShell::CreateContentViewer(char const*, nsIRequest*, nsIStreamListener**) docshell/base/nsDocShell.cpp:7732
    #15 0x7f2041534339 in nsDSURIContentListener::DoContent(char const*, bool, nsIRequest*, nsIStreamListener**, bool*) docshell/base/nsDSURIContentListener.cpp:122
    #16 0x7f2041562eff in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) uriloader/base/nsURILoader.cpp:654
    #17 0x7f204155e824 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) uriloader/base/nsURILoader.cpp:356
    #18 0x7f204155d15c in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) uriloader/base/nsURILoader.cpp:248
    #19 0x7f2037aff3a2 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) netwerk/base/src/nsBaseChannel.cpp:740
    #20 0x7f2037b00ea6 in non-virtual thunk to nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) :?
    #21 0x7f2037b9a644 in nsInputStreamPump::OnStateStart() netwerk/base/src/nsInputStreamPump.cpp:417
    #22 0x7f2037b99841 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/src/nsInputStreamPump.cpp:368
    #23 0x7f2037b9cc5e in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) :?
    #24 0x7f2045201065 in nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp:82
    #25 0x7f204530f4f0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612
    #26 0x7f2044fa036b in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #27 0x7f20439437b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82
    #28 0x7f20455e9401 in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:215
    #29 0x7f20455e9236 in MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:208
    #30 0x7f20455e911b in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:182
    #31 0x7f2042de527a in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:163
    #32 0x7f2041a13f84 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:290
    #33 0x7f20379c55ed in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3792
    #34 0x7f20379cb465 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3858
    #35 0x7f20379ce314 in XRE_main toolkit/xre/nsAppRunner.cpp:3933
    #36 0x40baa3 in do_main(int, char**) browser/app/nsBrowserApp.cpp:174
    #37 0x4091e5 in main browser/app/nsBrowserApp.cpp:279
    #38 0x7f205727076c in ?? ??:0
Stats: 96M malloced (135M for red zones) by 337281 calls
Stats: 4M realloced by 18985 calls
Stats: 73M freed by 210542 calls
Stats: 0M really freed by 0 calls
Stats: 268M (68645 full pages) mmaped in 67 calls
  mmaps   by size class: 8:311277; 9:32764; 10:12285; 11:8188; 12:3072; 13:1536; 14:768; 15:256; 16:704; 17:96; 18:144; 19:8; 20:8;
  mallocs by size class: 8:288647; 9:26533; 10:10394; 11:6886; 12:2044; 13:1166; 14:533; 15:162; 16:694; 17:81; 18:129; 19:6; 20:6;
  frees   by size class: 8:178460; 9:17981; 10:7052; 11:3628; 12:1110; 13:952; 14:391; 15:125; 16:655; 17:74; 18:106; 19:4; 20:4;
  rfrees  by size class:
Stats: malloc large: 222 small slow: 1511
==32448== ABORTING
Component: General → Internationalization
Product: Firefox → Core
(Assignee)

Comment 1

5 years ago
Created attachment 671179 [details] [diff] [review]
part 1, add a MOZ_ASSERT to catch the problem
Attachment #671179 - Flags: review?(smontagu)
(Assignee)

Comment 2

5 years ago
Created attachment 671180 [details] [diff] [review]
part 2, fix

It appears the largest number in ISO2022JP_cls is 9, so ISO2022JPCharLenTable
needs 10 entries.
Attachment #671180 - Flags: review?(smontagu)
(Assignee)

Updated

5 years ago
Whiteboard: [asan]
Attachment #671180 - Flags: review?(smontagu) → review+
Attachment #671179 - Flags: review?(smontagu) → review+
(Assignee)

Comment 3

5 years ago
Without the fix, the two missing entries has the values:
charLenTable[8] = 2
charLenTable[9] = 0
which is the first bytes from ISO2022KR_cls, at least on Linux64 and most
likely on other platforms as well (from "static const" section anyway).

I'm not familiar with how GetCurrentCharLen() is used, but at a glance it
looks like the worst that could happen is an out-of-bounds read that either
crash or makes us use the wrong character encoding.  So this bug seems unlikely
to be exploitable.
Keywords: sec-other
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/a53185bd1aed
https://hg.mozilla.org/integration/mozilla-inbound/rev/baaff43d6a16
https://hg.mozilla.org/mozilla-central/rev/a53185bd1aed
https://hg.mozilla.org/mozilla-central/rev/baaff43d6a16

Should this have a test?
Assignee: nobody → matspal
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox19: --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
status-firefox-esr10: --- → wontfix
Keywords: sec-other → csec-bounds, sec-low

Updated

5 years ago
status-firefox-esr17: --- → wontfix
Summary: Global-buffer-overflow in nsCodingStateMachine::NextState → out-of-bounds-read in nsCodingStateMachine::NextState
status-b2g18: --- → wontfix
Whiteboard: [asan] → [asan][adv-main19+]
Alias: CVE-2013-0779
Group: core-security
You need to log in before you can comment on or make changes to this bug.