Last Comment Bug 814026 - (CVE-2013-0754) ListenerManager Use-After-Free Remote Code Execution Vulnerability (ZDI-CAN-1591)
(CVE-2013-0754)
: ListenerManager Use-After-Free Remote Code Execution Vulnerability (ZDI-CAN-1...
Status: RESOLVED FIXED
[adv-main18+][adv-esr17+][adv-esr10+]
: csectype-uaf, sec-critical, testcase
Product: Core
Classification: Components
Component: DOM: Workers (show other bugs)
: 12 Branch
: All Windows XP
: -- normal (vote)
: ---
Assigned To: Ben Turner (not reading bugmail, use the needinfo flag!)
:
Mentors:
Depends on: 835826
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-21 08:36 PST by Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]
Modified: 2013-04-30 18:41 PDT (History)
17 users (show)
anthony.s.hughes: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
+
fixed
+
fixed
verified
18+
verified
fixed


Attachments
Patch, v1 (1.91 KB, patch)
2012-11-21 09:11 PST, Ben Turner (not reading bugmail, use the needinfo flag!)
bzbarsky: review+
Details | Diff | Review
Patch, v2 (2.93 KB, patch)
2012-12-17 20:46 PST, Ben Turner (not reading bugmail, use the needinfo flag!)
mrbkap: review+
bajaj.bhavana: approval‑mozilla‑aurora+
bajaj.bhavana: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑release-
lukasblakk+bugs: approval‑mozilla‑esr10+
bajaj.bhavana: approval‑mozilla‑esr17+
Details | Diff | Review

Description Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]] 2012-11-21 08:36:51 PST
Created attachment 684041 [details]
PoC

-- CVSS -----------------------------------------
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

-- ABSTRACT -------------------------------------
TippingPoint has identified a vulnerability affecting the following products:

  Mozilla Firefox

-- VULNERABILITY DETAILS ------------------------
Version(s) Tested: Mozilla Firefox 12.0
Platform(s) Tested: Windows XP SP3

--------------------- 
Vulnerability details 
---------------------

The vulnerable function is ListenerManager::DispatchEvent within dom/workers/ListenerManager.cpp
From the researcher:
Registered event listeners are stored in temporary |js::Vector| before being
called one by one. When the number of |jsval|s held in |listeners| exceeds 10,
storage space for them is allocated on the heap. Thus, they are unreachable
from garbage collector roots. During user-provided event handling callback, one
is free to remove/unregister all the listeners and force garbage collection. |jsval|s kept in |listeners| will become dangling pointers.

The code below triggers the vulnerability: 

--------------- 
Begin Code Snip 
---------------
<!DOCTYPE html>
<!--
     Mozilla Firefox 12.0
     ListenerManager dangling pointer
     Windows XP SP3 x86 code exec
     regenrecht@o2.pl May 2012
-->
<html>
<head>

</head>
<body onload="run();">
</body>
</html>


--------------- 
End Code Snip 
---------------
This code will create a listener that will erase all subsequent listeners and replace them with memory that'll result in EIP being c1c2c3c4

-- CREDIT ---------------------------------------
This vulnerability was discovered by:

   regenrecht

-- FURTHER DETAILS ------------------------------
If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 180 days of the reported date. If you are ready to release a patch at any point leading up the the deadline please coordinate with us so that we may release our advisory detailing the issue. If the 180 day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:


Zero Day Initiative
zdi-disclosures@tippingpoint.com

The PGP key used for all ZDI vendor communications is available from:

     http://www.zerodayinitiative.com/documents/zdi-pgp-key.asc

-- INFORMATION ABOUT THE ZDI ---------------------
Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.

Please contact us for further information or refer to:

    http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------
Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/
Comment 1 Olli Pettay [:smaug] 2012-11-21 08:42:00 PST
There is a reason why using the normal event handling also with worker objects would be really nice :/
Comment 2 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-11-21 09:11:09 PST
Created attachment 684057 [details] [diff] [review]
Patch, v1

This should work. Branches have different filenames but the same basic code.
Comment 3 Boris Zbarsky [:bz] 2012-11-21 09:14:58 PST
Comment on attachment 684057 [details] [diff] [review]
Patch, v1

r=me
Comment 4 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-11-21 09:30:31 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/c19edad3d359
Comment 5 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-11-21 09:31:57 PST
Oops.
Comment 6 Ed Morley [:emorley] 2012-11-21 11:22:35 PST
Backed out for crashes on Android:
eg: https://tbpl.mozilla.org/php/getParsedLog.php?id=17246531&tree=Mozilla-Inbound

and on a later push (when bz's bustage was backed out, so easier to see what's left):
https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=461a2225b7ba
https://tbpl.mozilla.org/php/getParsedLog.php?id=17247031&tree=Mozilla-Inbound

{
PROCESS-CRASH | /tests/Harness_sanity/test_SpecialPowersExtension.html | application crashed (minidump found)
Crash dump filename: /tmp/tmpcoqkYP/138e614b-fa04-f34e-3924bba1-621d3812.dmp
Operating system: Android
                  0.0.0 Linux 2.6.32.9-00002-gd8084dc-dirty #1 SMP PREEMPT Wed Feb 2 11:32:06 PST 2011 armv7l nvidia/harmony/harmony/harmony:2.2/FRF91/20110202.102810:eng/test-keys
CPU: arm
     0 CPUs

Crash reason:  SIGSEGV
Crash address: 0xfffff000

Thread 4 (crashed)
 0  libxul.so!js::gc::MarkString(JSTracer*, js::EncapsulatedPtr<JSAtom, unsigned int>*, char const*) [Heap.h : 989 + 0x0]
     r4 = 0x50f25110    r5 = 0xfffff000    r6 = 0x00000001    r7 = 0x5571918c
     r8 = 0x56e46cf8    r9 = 0x00000004   r10 = 0x55899740    fp = 0x56e46d30
     sp = 0x4e7a7490    lr = 0x5534fe0b    pc = 0x553f8bd0
    Found by: given as instruction pointer in context
 1  libxul.so!JSScript::markChildren(JSTracer*) [jsscript.cpp : 2561 + 0x7]
     r4 = 0x57202e98    r5 = 0x50f25110    r6 = 0x00000001    r7 = 0x5571918c
     r8 = 0x56e46cf8    r9 = 0x00000004   r10 = 0x55899740    fp = 0x56e46d30
     sp = 0x4e7a74a0    pc = 0x5534fe0b
    Found by: call frame info
 2  libxul.so!PushMarkStack [Marking.cpp : 838 + 0x7]
     r4 = 0x00080000    r5 = 0x57200000    r6 = 0x00000001    r7 = 0x000005d3
     r8 = 0x56e46cf8    r9 = 0x00000004   r10 = 0x0000002c    fp = 0x56e46d30
     sp = 0x4e7a74e8    pc = 0x553f6b11
    Found by: call frame info
 3  libxul.so!js::gc::MarkScriptUnbarriered [Marking.cpp : 137 + 0x7]
     r4 = 0x50f25110    r5 = 0x57202000    r6 = 0x4e7a7668    r7 = 0x56cf9100
     r8 = 0x56e46cf8    r9 = 0x00000004   r10 = 0x0000002c    fp = 0x56e46d30
     sp = 0x4e7a7500    pc = 0x553f759f
    Found by: call frame info
}

https://hg.mozilla.org/integration/mozilla-inbound/rev/668f0085f1ef
Comment 7 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-12-06 13:13:02 PST
Ok, I've poked around this a bunch and can't figure out how adding additional roots could trigger crashes in GC.

CC'ing a few JS folks, any pointers or help you can provide would be wonderful!
Comment 8 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-12-07 08:32:09 PST
Blake and I sat down to look at this for a few hours and figured out that the problem really is somehow specific to JS::AutoValueVector:

1. If we replace the autorooter with manual JS_AddRoot/JS_RemoveRoot calls then we don't crash (so it's not somehow the act of marking these listener objects that is the problem).

2. Blake was also concerned that we were somehow being called with a JSContext from a different thread (and hence racing) but we've satisfied ourselves that this is not happening.

3. The autorooter seems to be working correctly, cx->runtime->autoGCRooters is being set/unset correctly, so the problem must happen during the actual tracing.

4. The heap is definitely being corrupted and the crashes are all over the place.

Blake, did I leave anything out?
Comment 9 Bill McCloskey (:billm) 2012-12-07 09:31:59 PST
How difficult is it to reproduce this? What sort of debugging environment do you have? It sounds like it only happens on ARM?
Comment 10 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-12-07 09:34:26 PST
We were testing on B2G, actually. But it looks like all you have to do is apply this patch and build/run on ARM. Fennec and B2G both use workers so they both crash almost instantly.
Comment 11 Blake Kaplan (:mrbkap) (please use needinfo!) 2012-12-07 13:56:45 PST
That summary sounds right to me.
Comment 12 Blake Kaplan (:mrbkap) (please use needinfo!) 2012-12-10 17:24:09 PST
For the record: I built a b2g debug build (both with optimization and without) and this stopped crashing. As far as I know, the only crashing configuration is --disable-debug --enable-optimize. Fun times.
Comment 13 Bill McCloskey (:billm) 2012-12-12 10:59:52 PST
I'd like to help out with this, but I don't have access to an ARM system. Blake, if you're in MV some time, could we take a look at this?
Comment 14 Blake Kaplan (:mrbkap) (please use needinfo!) 2012-12-12 16:08:38 PST
(In reply to Bill McCloskey (:billm) from comment #13)
> I'd like to help out with this, but I don't have access to an ARM system.
> Blake, if you're in MV some time, could we take a look at this?

Hey Bill, I'll be in MV on Friday, I'll find you when I get in.
Comment 15 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-12-17 10:48:05 PST
Hey Blake, Bill, did you guys make any progress on Friday? Release management folks want to know what we're planning on doing here and I don't know what to tell them :)
Comment 16 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-12-17 15:29:45 PST
FYI this still crashes android builds on tinderbox (https://tbpl.mozilla.org/?tree=Try&rev=377d8b6326a9).
Comment 17 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-12-17 20:46:44 PST
Created attachment 693236 [details] [diff] [review]
Patch, v2

This is the slow awful patch that should avoid the security problem. We'll need to replace someday with the v1 patch once we figure out why it crashes android.
Comment 18 Blake Kaplan (:mrbkap) (please use needinfo!) 2012-12-17 22:32:22 PST
Comment on attachment 693236 [details] [diff] [review]
Patch, v2

Please file a followup on removing this hack. Also, when we check this into the branches, bug 820185 will have to land there at the same time.
Comment 19 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-12-18 08:03:44 PST
https://hg.mozilla.org/mozilla-central/rev/fd8fd1a7aecd
Comment 20 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-12-18 08:06:29 PST
Comment on attachment 693236 [details] [diff] [review]
Patch, v2

[Approval Request Comment]
User impact if declined: Reported vulnerability
Fix Landed on Version: mozilla-central
Risk to taking this patch (and alternatives if risky): Theoretically some sort of GC crash could result but this patch is designed to avoid GC crashes so it shouldn't be likely.
String or UUID changes made by this patch: None
Comment 21 bhavana bajaj [:bajaj] 2012-12-18 15:27:37 PST
(In reply to ben turner [:bent] from comment #20)
> Comment on attachment 693236 [details] [diff] [review]
> Patch, v2
> 
> [Approval Request Comment]
> User impact if declined: Reported vulnerability
> Fix Landed on Version: mozilla-central
> Risk to taking this patch (and alternatives if risky): Theoretically some
> sort of GC crash could result but this patch is designed to avoid GC crashes
> so it shouldn't be likely.
> String or UUID changes made by this patch: None

I will approve it on needed branches for now, but please use the sec-approval flag in future before landing on sec-crit,sec-high patches on m-c .Thanks !
Comment 22 Lukas Blakk [:lsblakk] use ?needinfo 2012-12-18 16:58:00 PST
Comment on attachment 693236 [details] [diff] [review]
Patch, v2

approving for esr10, please go ahead and land there.  minusing for mozilla-release since we are not chemspilling for this bug and since we are a couple weeks from releasing 18 it is unlikely we will need this on release.
Comment 23 Lukas Blakk [:lsblakk] use ?needinfo 2012-12-18 17:00:45 PST
according to comment 18 bug 820185  needs to land on branches too so please nominate for tracking on the branches that do need it.
Comment 24 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-12-18 20:25:17 PST
(In reply to bhavana bajaj [:bajaj] from comment #21)
> please use the sec-approval flag in future

Ugh, I botched that. Sorry!
Comment 25 Alex Keybl [:akeybl] 2012-12-19 10:48:52 PST
Comment on attachment 693236 [details] [diff] [review]
Patch, v2

Because this is landing to mozilla-beta, it'll also land to mozilla-b2g18.
Comment 27 Blake Kaplan (:mrbkap) (please use needinfo!) 2012-12-19 12:43:26 PST
My backport to esr10 didn't work so I backed it out: https://hg.mozilla.org/releases/mozilla-esr10/rev/162298a38b45

Ben, can you do a proper backport? I have to run to a family event.
Comment 28 Ben Turner (not reading bugmail, use the needinfo flag!) 2012-12-19 16:54:56 PST
https://hg.mozilla.org/releases/mozilla-esr10/rev/65c6a8972d45
Comment 29 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2012-12-21 16:56:34 PST
https://hg.mozilla.org/releases/mozilla-b2g18/rev/94db12abec04
Comment 30 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-01-03 10:48:53 PST
Is it possible to get the testcase for this bug in testsuite?
Comment 31 Matt Wobensmith [:mwobensmith][:matt:] 2013-01-07 16:40:09 PST
Confirmed crash on 10.0.11 and 17.0.1 ESR, confirmed fix on 10.0.12 and 17.0.2 ESR.
Comment 32 Ben Turner (not reading bugmail, use the needinfo flag!) 2013-01-29 07:39:03 PST
(In reply to Blake Kaplan (:mrbkap) from comment #18)
> Please file a followup on removing this hack.

Bug 835826.

Note You need to log in before you can comment on or make changes to this bug.