Closed
Bug 801330
(CVE-2013-0779)
Opened 12 years ago
Closed 12 years ago
out-of-bounds-read in nsCodingStateMachine::NextState
Categories
(Core :: Internationalization, defect)
Tracking
()
RESOLVED
FIXED
mozilla19
People
(Reporter: inferno, Assigned: MatsPalmgren_bugz)
Details
(Keywords: csectype-bounds, sec-low, Whiteboard: [asan][adv-main19+])
Attachments
(3 files)
|
67 bytes,
text/html
|
Details | |
|
9.68 KB,
patch
|
smontagu
:
review+
|
Details | Diff | Splinter Review |
|
1.26 KB,
patch
|
smontagu
:
review+
|
Details | Diff | Splinter Review |
Reproduces on trunk. Open the testcase and change character encoding View->Character Encoding->Auto-Detect->East Asian.
=================================================================
==32448== ERROR: AddressSanitizer global-buffer-overflow on address 0x7f2050d63e60 at pc 0x7f204271648c bp 0x7f20125fbfb0 sp 0x7f20125fbfa8
READ of size 4 at 0x7f2050d63e60 thread T27
#0 0x7f204271648b in nsCodingStateMachine::NextState(char) extensions/universalchardet/src/base/nsCodingStateMachine.h:37
#1 0x7f2042720237 in nsEscCharSetProber::HandleData(char const*, unsigned int) extensions/universalchardet/src/base/nsEscCharsetProber.cpp:56
#2 0x7f204273c9be in nsUniversalDetector::HandleData(char const*, unsigned int) extensions/universalchardet/src/base/nsUniversalDetector.cpp:169
#3 0x7f20427060b6 in nsXPCOMDetector::DoIt(char const*, unsigned int, bool*) extensions/universalchardet/src/xpcom/nsUdetXPCOMWrapper.cpp:57
#4 0x7f204270663c in non-virtual thunk to nsXPCOMDetector::DoIt(char const*, unsigned int, bool*) :?
#5 0x7f203e90c6ed in nsHtml5StreamParser::FinalizeSniffing(unsigned char const*, unsigned int, unsigned int*, unsigned int) parser/html/nsHtml5StreamParser.cpp:584
#6 0x7f203e916118 in nsHtml5StreamParser::DoStopRequest() parser/html/nsHtml5StreamParser.cpp:1001
#7 0x7f203e9257a1 in nsHtml5RequestStopper::Run() parser/html/nsHtml5StreamParser.cpp:1027
#8 0x7f204530f4f0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612
#9 0x7f2044fa036b in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
#10 0x7f204530732e in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:256
#11 0x7f20563eed16 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:156
#12 0x4c627a in __asan::AsanThread::ThreadStart() ??:?
0x7f2050d63e60 is located 0 bytes to the right of global variable 'ISO2022JPCharLenTable (extensions/universalchardet/src/base/nsEscSM.cpp)' (0x7f2050d63e40) of size 32
'ISO2022JPCharLenTable (extensions/universalchardet/src/base/nsEscSM.cpp)' is ascii string ''
Shadow byte and word:
0x1fe40a1ac7cc: f9
0x1fe40a1ac7c8: 00 00 00 00 f9 f9 f9 f9
More shadow bytes:
0x1fe40a1ac7a8: 00 00 00 00 00 00 00 00
0x1fe40a1ac7b0: 00 00 00 00 f9 f9 f9 f9
0x1fe40a1ac7b8: 00 00 00 00 00 00 00 00
0x1fe40a1ac7c0: 04 f9 f9 f9 f9 f9 f9 f9
=>0x1fe40a1ac7c8: 00 00 00 00 f9 f9 f9 f9
0x1fe40a1ac7d0: 00 00 00 00 00 04 f9 f9
0x1fe40a1ac7d8: f9 f9 f9 f9 00 00 00 00
0x1fe40a1ac7e0: 00 00 00 00 00 00 00 00
0x1fe40a1ac7e8: 00 00 00 00 f9 f9 f9 f9
Thread T27 created by T0 here:
#0 0x4bf8e4 in __interceptor_pthread_create ??:?
#1 0x7f20563dff8f in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:393
#2 0x7f20563ddd3c in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:476
#3 0x7f204530a3ee in nsThread::Init() xpcom/threads/nsThread.cpp:322
#4 0x7f20453213ca in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:215
#5 0x7f2044f9d7fb in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:49
#6 0x7f203e8b22db in tag_nsresult NS_NewNamedThread_P<13ul>(char const (&) [13ul], nsIThread**, nsIRunnable*, unsigned int) ../../dist/include/nsThreadUtils.h:88
#7 0x7f203e8b1c49 in nsHtml5Module::GetStreamParserThread() parser/html/nsHtml5Module.cpp:118
#8 0x7f203e8ff98f in nsHtml5StreamParser parser/html/nsHtml5StreamParser.cpp:164
#9 0x7f203e6ddc66 in nsHtml5Parser::MarkAsNotScriptCreated(char const*) parser/html/nsHtml5Parser.cpp:575
#10 0x7f203cd70640 in nsHTMLDocument::StartDocumentLoad(char const*, nsIChannel*, nsILoadGroup*, nsISupports*, nsIStreamListener**, bool, nsIContentSink*) content/html/document/src/nsHTMLDocument.cpp:629
#11 0x7f203954f60e in nsContentDLF::CreateDocument(char const*, nsIChannel*, nsILoadGroup*, nsISupports*, nsID const&, nsIStreamListener**, nsIContentViewer**) layout/build/nsContentDLF.cpp:413
#12 0x7f203954c3c2 in nsContentDLF::CreateInstance(char const*, nsIChannel*, nsILoadGroup*, char const*, nsISupports*, nsISupports*, nsIStreamListener**, nsIContentViewer**) layout/build/nsContentDLF.cpp:207
#13 0x7f20414a2b17 in nsDocShell::NewContentViewerObj(char const*, nsIRequest*, nsILoadGroup*, nsIStreamListener**, nsIContentViewer**) docshell/base/nsDocShell.cpp:7927
#14 0x7f204149ad82 in nsDocShell::CreateContentViewer(char const*, nsIRequest*, nsIStreamListener**) docshell/base/nsDocShell.cpp:7732
#15 0x7f2041534339 in nsDSURIContentListener::DoContent(char const*, bool, nsIRequest*, nsIStreamListener**, bool*) docshell/base/nsDSURIContentListener.cpp:122
#16 0x7f2041562eff in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) uriloader/base/nsURILoader.cpp:654
#17 0x7f204155e824 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) uriloader/base/nsURILoader.cpp:356
#18 0x7f204155d15c in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) uriloader/base/nsURILoader.cpp:248
#19 0x7f2037aff3a2 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) netwerk/base/src/nsBaseChannel.cpp:740
#20 0x7f2037b00ea6 in non-virtual thunk to nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) :?
#21 0x7f2037b9a644 in nsInputStreamPump::OnStateStart() netwerk/base/src/nsInputStreamPump.cpp:417
#22 0x7f2037b99841 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/src/nsInputStreamPump.cpp:368
#23 0x7f2037b9cc5e in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) :?
#24 0x7f2045201065 in nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp:82
#25 0x7f204530f4f0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612
#26 0x7f2044fa036b in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
#27 0x7f20439437b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82
#28 0x7f20455e9401 in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:215
#29 0x7f20455e9236 in MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:208
#30 0x7f20455e911b in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:182
#31 0x7f2042de527a in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:163
#32 0x7f2041a13f84 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:290
#33 0x7f20379c55ed in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3792
#34 0x7f20379cb465 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3858
#35 0x7f20379ce314 in XRE_main toolkit/xre/nsAppRunner.cpp:3933
#36 0x40baa3 in do_main(int, char**) browser/app/nsBrowserApp.cpp:174
#37 0x4091e5 in main browser/app/nsBrowserApp.cpp:279
#38 0x7f205727076c in ?? ??:0
Stats: 96M malloced (135M for red zones) by 337281 calls
Stats: 4M realloced by 18985 calls
Stats: 73M freed by 210542 calls
Stats: 0M really freed by 0 calls
Stats: 268M (68645 full pages) mmaped in 67 calls
mmaps by size class: 8:311277; 9:32764; 10:12285; 11:8188; 12:3072; 13:1536; 14:768; 15:256; 16:704; 17:96; 18:144; 19:8; 20:8;
mallocs by size class: 8:288647; 9:26533; 10:10394; 11:6886; 12:2044; 13:1166; 14:533; 15:162; 16:694; 17:81; 18:129; 19:6; 20:6;
frees by size class: 8:178460; 9:17981; 10:7052; 11:3628; 12:1110; 13:952; 14:391; 15:125; 16:655; 17:74; 18:106; 19:4; 20:4;
rfrees by size class:
Stats: malloc large: 222 small slow: 1511
==32448== ABORTING
Component: General → Internationalization
Product: Firefox → Core
|
Assignee | |
Comment 1•12 years ago
|
||
Attachment #671179 -
Flags: review?(smontagu)
|
|
Assignee | |
Comment 2•12 years ago
|
||
It appears the largest number in ISO2022JP_cls is 9, so ISO2022JPCharLenTable
needs 10 entries.
Attachment #671180 -
Flags: review?(smontagu)
|
|
Assignee | |
Updated•12 years ago
|
Whiteboard: [asan]
|
||
Updated•12 years ago
|
Attachment #671180 -
Flags: review?(smontagu) → review+
|
|
||
Updated•12 years ago
|
Attachment #671179 -
Flags: review?(smontagu) → review+
|
|
Assignee | |
Comment 3•12 years ago
|
||
Without the fix, the two missing entries has the values:
charLenTable[8] = 2
charLenTable[9] = 0
which is the first bytes from ISO2022KR_cls, at least on Linux64 and most
likely on other platforms as well (from "static const" section anyway).
I'm not familiar with how GetCurrentCharLen() is used, but at a glance it
looks like the worst that could happen is an out-of-bounds read that either
crash or makes us use the wrong character encoding. So this bug seems unlikely
to be exploitable.
Keywords: sec-other
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a53185bd1aed
https://hg.mozilla.org/mozilla-central/rev/baaff43d6a16
Should this have a test?
Assignee: nobody → matspal
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox19:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → wontfix
|
||
Updated•12 years ago
|
status-firefox-esr17:
--- → wontfix
|
|
||
Updated•12 years ago
|
Summary: Global-buffer-overflow in nsCodingStateMachine::NextState → out-of-bounds-read in nsCodingStateMachine::NextState
|
|
||
Updated•12 years ago
|
status-b2g18:
--- → wontfix
|
||
Updated•12 years ago
|
Whiteboard: [asan] → [asan][adv-main19+]
|
|
||
Updated•12 years ago
|
Alias: CVE-2013-0779
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•