Closed Bug 824643 Opened 10 years ago Closed 10 years ago

heap-use-after-free in nsTreeBodyFrame::UpdateScrollbars

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla20

Tracking Flags:

Tracking

Status

firefox19

---

affected

firefox20

---

fixed

firefox21

---

fixed

firefox-esr17

---

wontfix

b2g18

---

wontfix

People

(Reporter: MatsPalmgren_bugz, Assigned: MatsPalmgren_bugz)

Details

(Keywords: csectype-framepoisoning, csectype-uaf, sec-other, Whiteboard: [adv-main20+])

Attachments

(1 file)

fix 10 years ago Mats Palmgren (inactive) 1.28 KB, patch	roc : review+	Details \| Diff \| Splinter Review

Mats Palmgren (inactive)

Assignee

Description

•

10 years ago

STR: load layout/xul/base/src/tree/src/409807-1.xul in an ASan build compiled
with -DDEBUG_TRACEMALLOC_PRESARENA

   871  nsTreeBodyFrame::UpdateScrollbars(const ScrollParts& aParts)
   872  {
   873    nscoord rowHeightAsPixels = nsPresContext::AppUnitsToIntCSSPixels(mRowHeight);
   874  
   875    if (aParts.mVScrollbar) {
   876      nsAutoString curPos;
   877      curPos.AppendInt(mTopRowIndex*rowHeightAsPixels);
   878      aParts.mVScrollbarContent->
   879        SetAttr(kNameSpaceID_None, nsGkAtoms::curpos, curPos, true);
   880    }
   881  
   882    if (aParts.mHScrollbar) {
   883      nsAutoString curPos;
   884      curPos.AppendInt(mHorzPosition);
   885      aParts.mHScrollbarContent->
   886        SetAttr(kNameSpaceID_None, nsGkAtoms::curpos, curPos, true);
   887    }
   888  }

The SetAttr causes the frame to be destroyed, so we'll read some poisoned
value for this->mHorzPosition on line 884.  aParts.mHScrollbarContent
is a strong ref.  It looks harmless at first glance, but filing the
bug as Security-Sensitive just in case.

Mats Palmgren (inactive)

Assignee

Comment 1

•

10 years ago

Attached patch fix — Details — Splinter Review

https://tbpl.mozilla.org/?tree=Try&rev=58eeb5c8c0d0

Attachment #695668 - Flags: review?(roc)

Robert O'Callahan (:roc) (email my personal email if necessary)

Updated

•

10 years ago

Attachment #695668 - Flags: review?(roc) → review+

Andrew McCreight [:mccr8]

Updated

•

10 years ago

Keywords: sec-audit

Mats Palmgren (inactive)

Assignee

Comment 2

•

10 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/4ab11d8ed73b

Mats Palmgren (inactive)

Assignee

Comment 3

•

10 years ago

http://hg.mozilla.org/mozilla-central/rev/4ab11d8ed73b

status-firefox20: --- → fixed

Target Milestone: --- → mozilla20

Mats Palmgren (inactive)

Assignee

Updated

•

10 years ago

Status: NEW → RESOLVED

Closed: 10 years ago

Resolution: --- → FIXED

Daniel Veditz [:dveditz]

Comment 4

•

10 years ago

is this a frame-poisoned DoS or should we try to get this fix on older branches as well?

status-b2g18: --- → affected

status-firefox19: --- → affected

status-firefox21: --- → fixed

status-firefox-esr17: --- → affected

Robert O'Callahan (:roc) (email my personal email if necessary)

Comment 5

•

10 years ago

I believe it's frame-poisoned.

Daniel Veditz [:dveditz]

Updated

•

10 years ago

Keywords: sec-audit → csec-framepoisoning, sec-other

Alex Keybl [:akeybl]

Updated

•

10 years ago

status-b2g18: affected → wontfix

status-firefox-esr17: affected → wontfix

Al Billings [:abillings - ex-MoCo]

Updated

•

10 years ago

Whiteboard: [adv-main20+]

Daniel Veditz [:dveditz]

Updated

•

8 years ago

Group: core-security

Daniel Veditz [:dveditz]

Updated

•

6 years ago

Keywords: csectype-uaf

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

heap-use-after-free in nsTreeBodyFrame::UpdateScrollbars

Categories

(Core :: XUL, defect)

Tracking

()

People

(Reporter: MatsPalmgren_bugz, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: csectype-framepoisoning, csectype-uaf, sec-other, Whiteboard: [adv-main20+])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Updated

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Updated

Updated

Updated

Updated

Updated