Last Comment Bug 821991 - (CVE-2013-0781) [FIX] Heap-use-after-free in nsPrintEngine::CommonPrint
(CVE-2013-0781)
: [FIX] Heap-use-after-free in nsPrintEngine::CommonPrint
Status: RESOLVED FIXED
[asan][adv-main19+] req's user intera...
: crash, sec-moderate, testcase
Product: Core
Classification: Components
Component: Printing: Setup (show other bugs)
: Trunk
: x86_64 All
: -- normal (vote)
: mozilla21
Assigned To: Olli Pettay [:smaug] (TPAC)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-15 05:29 PST by Abhishek Arya
Modified: 2014-11-19 19:35 PST (History)
7 users (show)
dchanm+bugzilla: sec‑bounty-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wontfix
+
fixed
+
fixed
fixed
-
wontfix
-
wontfix
wontfix


Attachments
Testcase (271 bytes, text/html)
2012-12-15 05:29 PST, Abhishek Arya
no flags Details
patch (931 bytes, patch)
2012-12-15 06:06 PST, Olli Pettay [:smaug] (TPAC)
roc: review+
bajaj.bhavana: approval‑mozilla‑aurora+
bajaj.bhavana: approval‑mozilla‑beta+
bajaj.bhavana: approval‑mozilla‑esr17-
dveditz: sec‑approval+
Details | Diff | Splinter Review

Description Abhishek Arya 2012-12-15 05:29:52 PST
Created attachment 692584 [details]
Testcase

Install FuzzPriv extension to help in invoking print. https://www.squarefree.com/extensions/domFuzzLite3.xpi

Load testcase, wait like 10 sec and then press Escape once or twice.

DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
Printing to: /tmp/j1/fuzzout.pdf
DOMFuzzHelper created
Printing to: /tmp/j1/fuzzout.pdf
DOMFuzzHelper created
Printing to: /tmp/j1/fuzzout.pdf
DOMFuzzHelper created
Printing to: /tmp/j1/fuzzout.pdf
DOMFuzzHelper created
Printing to: /tmp/j1/fuzzout.pdf
=================================================================
==12857== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f1b334eae80 at pc 0x7f1b5125a230 bp 0x7fff0a62af30 sp 0x7fff0a62af28
READ of size 8 at 0x7f1b334eae80 thread T0
    #0 0x7f1b5125a22f in nsPrintEngine::CommonPrint(bool, nsIPrintSettings*, nsIWebProgressListener*, nsIDOMDocument*) src/layout/printing/nsPrintEngine.cpp:427
    #1 0x7f1b4f94a398 in nsDocumentViewer::Print(nsIPrintSettings*, nsIWebProgressListener*) src/layout/base/nsDocumentViewer.cpp:3666
    #2 0x7f1b52a9f836 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #3 0x7f1b5181ba43 in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:3081
    #4 0x7f1b5181ba43 in CallMethodHelper src/js/xpconnect/src/XPCWrappedNative.cpp:2415
    #5 0x7f1b5181ba43 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:2381
    #6 0x7f1b51830018 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
    #7 0x7f1b53da19dd in native src/js/src/jscntxtinlines.h:372
    #8 0x7f1b53da19dd in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:389
    #9 0x7f1b53d91dd1 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2348
    #10 0x7f1b53d7d8ee in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:346
    #11 0x7f1b53da18d8 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:404
    #12 0x7f1b53da2792 in Invoke src/js/src/jsinterp.h:112
    #13 0x7f1b53da2792 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:437
    #14 0x7f1b53c56e27 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5791
    #15 0x7f1b51807285 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
    #16 0x7f1b517f610d in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581
    #17 0x7f1b52aa09ea in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:121
    #18 0x7f1b52a9fa42 in SharedStub
    #19 0x7f1b52a5fb5f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
    #20 0x7f1b52997522 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:237
    #21 0x7f1b51bb0966 in nsXULWindow::ShowModal() src/xpfe/appshell/src/nsXULWindow.cpp:366
    #22 0x7f1b51b0ad3a in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) src/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:1072
    #23 0x7f1b51b03da2 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) src/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:404
    #24 0x7f1b52a9f836 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #25 0x7f1b5181ba43 in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:3081
    #26 0x7f1b5181ba43 in CallMethodHelper src/js/xpconnect/src/XPCWrappedNative.cpp:2415
    #27 0x7f1b5181ba43 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:2381
    #28 0x7f1b51830018 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
    #29 0x7f1b53da19dd in native src/js/src/jscntxtinlines.h:372
    #30 0x7f1b53da19dd in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:389
    #31 0x7f1b53d91dd1 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2348
    #32 0x7f1b53d7d8ee in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:346
    #33 0x7f1b53da18d8 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:404
    #34 0x7f1b53da2792 in Invoke src/js/src/jsinterp.h:112
    #35 0x7f1b53da2792 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:437
    #36 0x7f1b53c56e27 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5791
    #37 0x7f1b51807285 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
    #38 0x7f1b517f610d in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581
    #39 0x7f1b52aa09ea in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:121
    #40 0x7f1b52a9fa42 in SharedStub
    #41 0x7f1b5125e6e2 in nsPrintEngine::ShowPrintErrorDialog(tag_nsresult, bool) src/layout/printing/nsPrintEngine.cpp:1632
    #42 0x7f1b5125a18d in nsPrintEngine::CommonPrint(bool, nsIPrintSettings*, nsIWebProgressListener*, nsIDOMDocument*) src/layout/printing/nsPrintEngine.cpp:426
    #43 0x7f1b4f94a398 in nsDocumentViewer::Print(nsIPrintSettings*, nsIWebProgressListener*) src/layout/base/nsDocumentViewer.cpp:3666
    #44 0x7f1b52a9f836 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #45 0x7f1b5181ba43 in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:3081
    #46 0x7f1b5181ba43 in CallMethodHelper src/js/xpconnect/src/XPCWrappedNative.cpp:2415
    #47 0x7f1b5181ba43 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:2381
    #48 0x7f1b51830018 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
    #49 0x7f1b53da19dd in native src/js/src/jscntxtinlines.h:372
    #50 0x7f1b53da19dd in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:389
    #51 0x7f1b53d91dd1 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2348
    #52 0x7f1b53d7d8ee in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:346
    #53 0x7f1b53da18d8 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:404
    #54 0x7f1b53da2792 in Invoke src/js/src/jsinterp.h:112
    #55 0x7f1b53da2792 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:437
    #56 0x7f1b53c56e27 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5791
    #57 0x7f1b51807285 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
    #58 0x7f1b517f610d in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581
    #59 0x7f1b52aa09ea in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:121
    #60 0x7f1b52a9fa42 in SharedStub
    #61 0x7f1b52a5fb5f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
    #62 0x7f1b52997522 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:237
    #63 0x7f1b52480b9c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #64 0x7f1b52aee318 in RunInternal src/ipc/chromium/src/base/message_loop.cc:215
    #65 0x7f1b52aee318 in RunHandler src/ipc/chromium/src/base/message_loop.cc:208
    #66 0x7f1b52aee318 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
    #67 0x7f1b5217bbcd in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
    #68 0x7f1b4f104adf in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3891
    #69 0x7f1b4f105aba in XRE_main src/toolkit/xre/nsAppRunner.cpp:4089
    #70 0x4097bd in do_main src/browser/app/nsBrowserApp.cpp:174
    #71 0x4097bd in main src/browser/app/nsBrowserApp.cpp:279
    #72 0x7f1b5895076c in
0x7f1b334eae80 is located 64 bytes inside of 128-byte region [0x7f1b334eae40,0x7f1b334eaec0)
freed by thread T0 here:
    #0 0x4265e0 in __interceptor_free
    #1 0x7f1b51258f62 in operator= src/../../dist/include/mozilla/mozalloc.h:224
    #2 0x7f1b51258f62 in nsPrintEngine::Release() src/layout/printing/nsPrintEngine.cpp:222
    #3 0x7f1b4f93bd67 in nsDocumentViewer::Show() src/layout/base/nsDocumentViewer.cpp:1938
    #4 0x7f1b4f996957 in nsPresContext::EnsureVisible() src/layout/base/nsPresContext.cpp:1829
    #5 0x7f1b4f9bc284 in PresShell::UnsuppressAndInvalidate() src/layout/base/nsPresShell.cpp:3579
    #6 0x7f1b51a17d24 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) src/docshell/base/nsDocShell.cpp:6514
    #7 0x7f1b51a15018 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) src/docshell/base/nsDocShell.cpp:6342
    #8 0x7f1b51a154ac in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) src/docshell/base/nsDocShell.cpp:6349
    #9 0x7f1b51a74a42 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) src/uriloader/base/nsDocLoader.cpp:885
    #10 0x7f1b51a72ab7 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:775
    #11 0x7f1b51a73e5b in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) src/uriloader/base/nsDocLoader.cpp:659
    #12 0x7f1b51a74659 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) src/uriloader/base/nsDocLoader.cpp:663
    #13 0x7f1b500f7622 in nsDocument::DoUnblockOnload() src/content/base/src/nsDocument.cpp:6972
    #14 0x7f1b500dec17 in nsDocument::DispatchContentLoadedEvents() src/content/base/src/nsDocument.cpp:4220
    #15 0x7f1b50114586 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:367
previously allocated by thread T0 here:
    #0 0x4266a0 in malloc
    #1 0x7f1b56b1b148 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
    #2 0x7f1b52a9f836 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #3 0x7f1b5181ba43 in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:3081
    #4 0x7f1b5181ba43 in CallMethodHelper src/js/xpconnect/src/XPCWrappedNative.cpp:2415
    #5 0x7f1b5181ba43 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:2381
    #6 0x7f1b51830018 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
    #7 0x7f1b53da19dd in native src/js/src/jscntxtinlines.h:372
    #8 0x7f1b53da19dd in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:389
    #9 0x7f1b53d91dd1 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2348
    #10 0x7f1b53d7d8ee in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:346
    #11 0x7f1b53da18d8 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:404
Shadow byte and word:
  0x1fe36669d5d0: fd
  0x1fe36669d5d0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fe36669d5b0: 00 00 00 00 00 00 fb fb
  0x1fe36669d5b8: fa fa fa fa fa fa fa fa
  0x1fe36669d5c0: fa fa fa fa fa fa fa fa
  0x1fe36669d5c8: fd fd fd fd fd fd fd fd
=>0x1fe36669d5d0: fd fd fd fd fd fd fd fd
  0x1fe36669d5d8: fa fa fa fa fa fa fa fa
  0x1fe36669d5e0: fa fa fa fa fa fa fa fa
  0x1fe36669d5e8: fd fd fd fd fd fd fd fd
  0x1fe36669d5f0: fd fd fd fd fd fd fd fd
Stats: 144M malloced (143M for red zones) by 461053 calls
Stats: 11M realloced by 45165 calls
Stats: 117M freed by 318690 calls
Stats: 82M really freed by 244573 calls
Stats: 175M (44883 full pages) mmaped in 332 calls
  mmaps   by size class: 7:180180; 8:55269; 9:16368; 10:7665; 11:4845; 12:2560; 13:832; 14:416; 15:208; 16:728; 17:148; 18:14; 19:6; 20:8; 21:3;
  mallocs by size class: 7:316387; 8:89162; 9:27422; 10:11100; 11:8505; 12:4084; 13:1726; 14:801; 15:301; 16:1316; 17:202; 18:24; 19:8; 20:12; 21:3;
  frees   by size class: 7:221395; 8:57159; 9:19982; 10:7245; 11:6176; 12:2957; 13:1511; 14:656; 15:190; 16:1190; 17:194; 18:18; 19:6; 20:8; 21:3;
  rfrees  by size class: 7:174666; 8:43529; 9:11861; 10:5716; 11:4350; 12:1749; 13:1116; 14:492; 15:152; 16:753; 17:169; 18:10; 19:2; 20:5; 21:3;
Stats: malloc large: 1866 small slow: 4648
==12857== ABORTING
Comment 1 Olli Pettay [:smaug] (TPAC) 2012-12-15 06:06:45 PST
Created attachment 692591 [details] [diff] [review]
patch
Comment 2 Olli Pettay [:smaug] (TPAC) 2012-12-15 12:38:32 PST
Comment on attachment 692591 [details] [diff] [review]
patch

[Security approval request comment]
How easily can the security issue be deduced from the patch?
Quit easily

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Well, the patch itself points to what the problem is.

Which older supported branches are affected by this flaw?
All

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
The same fix should work everywhere.

How likely is this patch to cause regressions; how much testing does it need?
Should be super-safe. Could be landed very late in FF18/FF17esr cycle.
Comment 3 Daniel Veditz [:dveditz] 2012-12-17 14:46:24 PST
assigning a sec-moderate rating because in normal use this would require a user to manually print the page to be victimized, but for those who fell victim to the social engineering it could be critical.
Comment 4 Daniel Veditz [:dveditz] 2012-12-17 14:52:13 PST
Comment on attachment 692591 [details] [diff] [review]
patch

sec-approval+ for landing on m-c

Please request branch approvals -- would be nice to land this everywhere and it's safe enough, but not the end of the world if it doesn't make 18 or the last ESR-10.
Comment 5 David Chan [:dchan] 2012-12-17 15:10:06 PST
The bug committee has decided not to pay a bounty on this bug due to it being a sec-moderate bug. The risk is reduced due to the required user interaction.
Comment 6 Alex Keybl [:akeybl] 2012-12-17 16:10:20 PST
sec-moderate, so no reason to rush this into the final two FF18 betas. Also not critical enough to fix on ESR branches.
Comment 7 Olli Pettay [:smaug] (TPAC) 2012-12-17 17:01:43 PST
Should I wait before landing? Like land closer to FF19 release?
Comment 8 Alex Keybl [:akeybl] 2013-01-07 17:18:30 PST
(In reply to Olli Pettay [:smaug] from comment #7)
> Should I wait before landing? Like land closer to FF19 release?

You're welcome to land on mozilla-central now in preparation for uplift to branches in the next week or so.
Comment 9 Olli Pettay [:smaug] (TPAC) 2013-01-08 04:02:18 PST
Comment on attachment 692591 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Has been there since the dawn of the time
User impact if declined: sg crashes
Testing completed (on m-c, etc.): about to land to m-c
Risk to taking this patch (and alternatives if risky): Super safe
String or UUID changes made by this patch: NA
Comment 10 Olli Pettay [:smaug] (TPAC) 2013-01-08 04:08:05 PST
https://hg.mozilla.org/mozilla-central/rev/8f818068da09
Comment 11 Ed Morley [:emorley] 2013-01-08 06:18:45 PST
If landing on mozilla-central rather than inbound, please can you star your pushes.

In the not so distant future, sheriffs will be starting to back people out for unstarred m-c pushes...

Cheers :-)
Comment 12 Olli Pettay [:smaug] (TPAC) 2013-01-08 08:00:03 PST
Oops, sorry. Had lunch. Bad excuse.
Comment 14 bhavana bajaj [:bajaj] 2013-01-31 15:47:31 PST
Comment on attachment 692591 [details] [diff] [review]
patch

Not needed on esr as it was decided "wontfix" .(check comment #6)

Note You need to log in before you can comment on or make changes to this bug.