Last Comment Bug 801330 - (CVE-2013-0779) out-of-bounds-read in nsCodingStateMachine::NextState
(CVE-2013-0779)
: out-of-bounds-read in nsCodingStateMachine::NextState
Status: RESOLVED FIXED
[asan][adv-main19+]
: csectype-bounds, sec-low
Product: Core
Classification: Components
Component: Internationalization (show other bugs)
: Trunk
: x86_64 All
: -- normal (vote)
: mozilla19
Assigned To: Mats Palmgren (:mats)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-13 13:01 PDT by Abhishek Arya
Modified: 2014-11-19 19:36 PST (History)
7 users (show)
ryanvm: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
wontfix
wontfix
wontfix


Attachments
Testcase (67 bytes, text/html)
2012-10-13 13:01 PDT, Abhishek Arya
no flags Details
part 1, add a MOZ_ASSERT to catch the problem (9.68 KB, patch)
2012-10-13 22:19 PDT, Mats Palmgren (:mats)
smontagu: review+
Details | Diff | Review
part 2, fix (1.26 KB, patch)
2012-10-13 22:22 PDT, Mats Palmgren (:mats)
smontagu: review+
Details | Diff | Review

Description Abhishek Arya 2012-10-13 13:01:12 PDT
Created attachment 671125 [details]
Testcase

Reproduces on trunk. Open the testcase and change character encoding View->Character Encoding->Auto-Detect->East Asian.

=================================================================
==32448== ERROR: AddressSanitizer global-buffer-overflow on address 0x7f2050d63e60 at pc 0x7f204271648c bp 0x7f20125fbfb0 sp 0x7f20125fbfa8
READ of size 4 at 0x7f2050d63e60 thread T27
    #0 0x7f204271648b in nsCodingStateMachine::NextState(char) extensions/universalchardet/src/base/nsCodingStateMachine.h:37
    #1 0x7f2042720237 in nsEscCharSetProber::HandleData(char const*, unsigned int) extensions/universalchardet/src/base/nsEscCharsetProber.cpp:56
    #2 0x7f204273c9be in nsUniversalDetector::HandleData(char const*, unsigned int) extensions/universalchardet/src/base/nsUniversalDetector.cpp:169
    #3 0x7f20427060b6 in nsXPCOMDetector::DoIt(char const*, unsigned int, bool*) extensions/universalchardet/src/xpcom/nsUdetXPCOMWrapper.cpp:57
    #4 0x7f204270663c in non-virtual thunk to nsXPCOMDetector::DoIt(char const*, unsigned int, bool*) :?
    #5 0x7f203e90c6ed in nsHtml5StreamParser::FinalizeSniffing(unsigned char const*, unsigned int, unsigned int*, unsigned int) parser/html/nsHtml5StreamParser.cpp:584
    #6 0x7f203e916118 in nsHtml5StreamParser::DoStopRequest() parser/html/nsHtml5StreamParser.cpp:1001
    #7 0x7f203e9257a1 in nsHtml5RequestStopper::Run() parser/html/nsHtml5StreamParser.cpp:1027
    #8 0x7f204530f4f0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612
    #9 0x7f2044fa036b in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #10 0x7f204530732e in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:256
    #11 0x7f20563eed16 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:156
    #12 0x4c627a in __asan::AsanThread::ThreadStart() ??:?
0x7f2050d63e60 is located 0 bytes to the right of global variable 'ISO2022JPCharLenTable (extensions/universalchardet/src/base/nsEscSM.cpp)' (0x7f2050d63e40) of size 32
  'ISO2022JPCharLenTable (extensions/universalchardet/src/base/nsEscSM.cpp)' is ascii string ''
Shadow byte and word:
  0x1fe40a1ac7cc: f9
  0x1fe40a1ac7c8: 00 00 00 00 f9 f9 f9 f9
More shadow bytes:
  0x1fe40a1ac7a8: 00 00 00 00 00 00 00 00
  0x1fe40a1ac7b0: 00 00 00 00 f9 f9 f9 f9
  0x1fe40a1ac7b8: 00 00 00 00 00 00 00 00
  0x1fe40a1ac7c0: 04 f9 f9 f9 f9 f9 f9 f9
=>0x1fe40a1ac7c8: 00 00 00 00 f9 f9 f9 f9
  0x1fe40a1ac7d0: 00 00 00 00 00 04 f9 f9
  0x1fe40a1ac7d8: f9 f9 f9 f9 00 00 00 00
  0x1fe40a1ac7e0: 00 00 00 00 00 00 00 00
  0x1fe40a1ac7e8: 00 00 00 00 f9 f9 f9 f9
Thread T27 created by T0 here:
    #0 0x4bf8e4 in __interceptor_pthread_create ??:?
    #1 0x7f20563dff8f in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:393
    #2 0x7f20563ddd3c in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:476
    #3 0x7f204530a3ee in nsThread::Init() xpcom/threads/nsThread.cpp:322
    #4 0x7f20453213ca in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:215
    #5 0x7f2044f9d7fb in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:49
    #6 0x7f203e8b22db in tag_nsresult NS_NewNamedThread_P<13ul>(char const (&) [13ul], nsIThread**, nsIRunnable*, unsigned int) ../../dist/include/nsThreadUtils.h:88
    #7 0x7f203e8b1c49 in nsHtml5Module::GetStreamParserThread() parser/html/nsHtml5Module.cpp:118
    #8 0x7f203e8ff98f in nsHtml5StreamParser parser/html/nsHtml5StreamParser.cpp:164
    #9 0x7f203e6ddc66 in nsHtml5Parser::MarkAsNotScriptCreated(char const*) parser/html/nsHtml5Parser.cpp:575
    #10 0x7f203cd70640 in nsHTMLDocument::StartDocumentLoad(char const*, nsIChannel*, nsILoadGroup*, nsISupports*, nsIStreamListener**, bool, nsIContentSink*) content/html/document/src/nsHTMLDocument.cpp:629
    #11 0x7f203954f60e in nsContentDLF::CreateDocument(char const*, nsIChannel*, nsILoadGroup*, nsISupports*, nsID const&, nsIStreamListener**, nsIContentViewer**) layout/build/nsContentDLF.cpp:413
    #12 0x7f203954c3c2 in nsContentDLF::CreateInstance(char const*, nsIChannel*, nsILoadGroup*, char const*, nsISupports*, nsISupports*, nsIStreamListener**, nsIContentViewer**) layout/build/nsContentDLF.cpp:207
    #13 0x7f20414a2b17 in nsDocShell::NewContentViewerObj(char const*, nsIRequest*, nsILoadGroup*, nsIStreamListener**, nsIContentViewer**) docshell/base/nsDocShell.cpp:7927
    #14 0x7f204149ad82 in nsDocShell::CreateContentViewer(char const*, nsIRequest*, nsIStreamListener**) docshell/base/nsDocShell.cpp:7732
    #15 0x7f2041534339 in nsDSURIContentListener::DoContent(char const*, bool, nsIRequest*, nsIStreamListener**, bool*) docshell/base/nsDSURIContentListener.cpp:122
    #16 0x7f2041562eff in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) uriloader/base/nsURILoader.cpp:654
    #17 0x7f204155e824 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) uriloader/base/nsURILoader.cpp:356
    #18 0x7f204155d15c in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) uriloader/base/nsURILoader.cpp:248
    #19 0x7f2037aff3a2 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) netwerk/base/src/nsBaseChannel.cpp:740
    #20 0x7f2037b00ea6 in non-virtual thunk to nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) :?
    #21 0x7f2037b9a644 in nsInputStreamPump::OnStateStart() netwerk/base/src/nsInputStreamPump.cpp:417
    #22 0x7f2037b99841 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/src/nsInputStreamPump.cpp:368
    #23 0x7f2037b9cc5e in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) :?
    #24 0x7f2045201065 in nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp:82
    #25 0x7f204530f4f0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:612
    #26 0x7f2044fa036b in NS_ProcessNextEvent_P(nsIThread*, bool) objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #27 0x7f20439437b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:82
    #28 0x7f20455e9401 in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:215
    #29 0x7f20455e9236 in MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:208
    #30 0x7f20455e911b in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:182
    #31 0x7f2042de527a in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:163
    #32 0x7f2041a13f84 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:290
    #33 0x7f20379c55ed in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3792
    #34 0x7f20379cb465 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3858
    #35 0x7f20379ce314 in XRE_main toolkit/xre/nsAppRunner.cpp:3933
    #36 0x40baa3 in do_main(int, char**) browser/app/nsBrowserApp.cpp:174
    #37 0x4091e5 in main browser/app/nsBrowserApp.cpp:279
    #38 0x7f205727076c in ?? ??:0
Stats: 96M malloced (135M for red zones) by 337281 calls
Stats: 4M realloced by 18985 calls
Stats: 73M freed by 210542 calls
Stats: 0M really freed by 0 calls
Stats: 268M (68645 full pages) mmaped in 67 calls
  mmaps   by size class: 8:311277; 9:32764; 10:12285; 11:8188; 12:3072; 13:1536; 14:768; 15:256; 16:704; 17:96; 18:144; 19:8; 20:8;
  mallocs by size class: 8:288647; 9:26533; 10:10394; 11:6886; 12:2044; 13:1166; 14:533; 15:162; 16:694; 17:81; 18:129; 19:6; 20:6;
  frees   by size class: 8:178460; 9:17981; 10:7052; 11:3628; 12:1110; 13:952; 14:391; 15:125; 16:655; 17:74; 18:106; 19:4; 20:4;
  rfrees  by size class:
Stats: malloc large: 222 small slow: 1511
==32448== ABORTING
Comment 1 Mats Palmgren (:mats) 2012-10-13 22:19:23 PDT
Created attachment 671179 [details] [diff] [review]
part 1, add a MOZ_ASSERT to catch the problem
Comment 2 Mats Palmgren (:mats) 2012-10-13 22:22:26 PDT
Created attachment 671180 [details] [diff] [review]
part 2, fix

It appears the largest number in ISO2022JP_cls is 9, so ISO2022JPCharLenTable
needs 10 entries.
Comment 3 Mats Palmgren (:mats) 2012-10-14 10:08:22 PDT
Without the fix, the two missing entries has the values:
charLenTable[8] = 2
charLenTable[9] = 0
which is the first bytes from ISO2022KR_cls, at least on Linux64 and most
likely on other platforms as well (from "static const" section anyway).

I'm not familiar with how GetCurrentCharLen() is used, but at a glance it
looks like the worst that could happen is an out-of-bounds read that either
crash or makes us use the wrong character encoding.  So this bug seems unlikely
to be exploitable.
Comment 5 Ryan VanderMeulen [:RyanVM] 2012-10-14 14:12:38 PDT
https://hg.mozilla.org/mozilla-central/rev/a53185bd1aed
https://hg.mozilla.org/mozilla-central/rev/baaff43d6a16

Should this have a test?

Note You need to log in before you can comment on or make changes to this bug.