Last Comment Bug 831095 - (CVE-2013-0775) Use-After-Free crash @xul!nsImageLoadingContent::OnStopContainer
(CVE-2013-0775)
: Use-After-Free crash @xul!nsImageLoadingContent::OnStopContainer
Status: RESOLVED FIXED
[asan][adv-main19+][adv-esr1703+]
: csectype-uaf, regression, sec-critical
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 21 Branch
: x86_64 Windows 8
: -- critical (vote)
: mozilla21
Assigned To: Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary)
:
Mentors:
Depends on:
Blocks: 756419
  Show dependency treegraph
 
Reported: 2013-01-15 16:55 PST by Nils
Modified: 2014-07-24 14:37 PDT (History)
15 users (show)
abillings: sec‑bounty+
khuey: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
tef+
wontfix
+
verified
+
verified
+
verified
19+
verified
19+
fixed
wontfix
fixed


Attachments
testcase, crashes the browser (816 bytes, text/html)
2013-01-15 16:55 PST, Nils
no flags Details
Patch (2.46 KB, patch)
2013-01-16 11:39 PST, Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary)
bzbarsky: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
akeybl: approval‑mozilla‑esr17+
akeybl: approval‑mozilla‑b2g18+
abillings: sec‑approval+
Details | Diff | Splinter Review

Description Nils 2013-01-15 16:55:50 PST
Created attachment 702600 [details]
testcase, crashes the browser

The attached testcase crashes when loaded in latest Firefox nightly. Crashes at random memory addresses.

Stack trace on windows (this was with the previous testcase which loaded a jpeg file instead of png from data uri):
xul!nsImageLoadingContent::OnStopContainer+0x37:
64fcc61e ff5128          call    dword ptr [ecx+28h]  ds:002b:00000029=????????
0:000:x86> cdb: Reading initial command 'kp 16;q'
ChildEBP RetAddr  
0033cb58 64e6eac6 xul!nsImageLoadingContent::OnStopContainer(class imgIRequest * aRequest = 0x07dc8e00, class imgIContainer * aContainer = 0x0779a790)+0x37
0033cb6c 64e2229d xul!imgRequestProxy::OnStopContainer(class imgIContainer * image = 0x0779a790)+0x36
0033cbfc 64dfd62b xul!imgRequest::OnStopDecode(class imgIRequest * aRequest = 0x00000000, tag_nsresult aStatus = NS_OK (0n0), wchar_t * aStatusArg = 0x00000000 "")+0xad
0033cc24 6501fca4 xul!mozilla::image::Decoder::PostDecodeDone(void)+0x67
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
0033cc2c 66072e8f xul!mozilla::image::term_source(struct jpeg_decompress_struct * jd = 0x07d47438)+0x14
0033cc38 64f86b63 gkmedias!jpeg_finish_decompress(struct jpeg_decompress_struct * cinfo = 0x07d47438)+0x5a
0033ce74 64f5beaf xul!mozilla::image::nsJPEGDecoder::WriteInternal(char * aBuffer = 0x07df5008 "G???", unsigned int aCount = 0x18e)+0x359
0033ce90 64faf970 xul!mozilla::image::RasterImage::WriteToDecoder(char * aBuffer = 0x07df5008 "G???", unsigned int aCount = 0x18e)+0x41
0033ceac 64f6ff0b xul!mozilla::image::RasterImage::DecodeSomeData(unsigned int aMaxBytes = 0x1000)+0x37
0033ceec 64fbaa9b xul!mozilla::image::RasterImage::DecodeWorker::DecodeSomeOfImage(class mozilla::image::RasterImage * aImg = 0x0779a790, mozilla::image::RasterImage::DecodeWorker::DecodeType aDecodeType = DECODE_TYPE_NORMAL (0n0))+0xbc
0033cf28 64e91dbf xul!mozilla::image::RasterImage::DecodeWorker::Run(void)+0xb6
0033cf98 6503c86f xul!nsThread::ProcessNextEvent(bool mayWait = false, bool * result = 0x0033cfd4)+0x2cf
0033cfcc 6504ca2b xul!mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate * aDelegate = 0x00a42001)+0x5f
0033d004 6504c9d3 xul!MessageLoop::RunHandler(void)+0x21
0033d020 6502fc8f xul!MessageLoop::Run(void)+0x15
0033d02c 6504c953 xul!nsBaseAppShell::Run(void)+0x34
0033ef80 65076c9d xul!nsAppShell::Run(void)+0x4e
0033ef8c 64fbc83a xul!nsAppStartup::Run(void)+0x1e
0033f058 6501522d xul!XREMain::XRE_mainRun(void)+0x405
0033f074 65037bb4 xul!XREMain::XRE_main(int argc = 0n5, char ** argv = 0x00134660, struct nsXREAppData * aAppData = 0x00c332e0)+0xde
*** WARNING: Unable to verify checksum for firefox.exe
0033f18c 00c31742 xul!XRE_main(int argc = 0n5, char ** argv = 0x00134660, struct nsXREAppData * aAppData = 0x00c332e0, unsigned int aFlags = 0)+0x30
0033fc64 00c31a64 firefox!wmain(int argc = 0n5, wchar_t ** argv = 0x00132e90)+0x742
quit:
Comment 1 Nils 2013-01-15 16:57:03 PST
ASAN output:

==20176== ERROR: AddressSanitizer heap-use-after-free on address 0x7f900bfd0188 at pc 0x7f90777e5153 bp 0x7ffffd830730 sp 0x7ffffd830728
READ of size 8 at 0x7f900bfd0188 thread T0
    #0 0x7f90777e5152 in _ZN21nsImageLoadingContent6NotifyEP11imgIRequestiPK9nsIntRect /builds/slave/try-lnx64/build/content/base/src/nsImageLoadingContent.cpp:146
    #1 0x7f9076e0b2ab in _ZN15imgRequestProxy12OnStopDecodeEv /builds/slave/try-lnx64/build/image/src/imgRequestProxy.cpp:713
    #2 0x7f9076e1d283 in _ZN16imgStatusTracker10SyncNotifyEP15imgRequestProxy /builds/slave/try-lnx64/build/image/src/imgStatusTracker.cpp:433
    #3 0x7f9076e1f23e in _ZN24imgRequestNotifyRunnable3RunEv /builds/slave/try-lnx64/build/image/src/imgStatusTracker.cpp:289
0x7f900bfd0188 is located 8 bytes inside of 16-byte region [0x7f900bfd0180,0x7f900bfd0190)
freed by thread T0 here:
    #0 0x433730 in free ??:0
    #1 0x7f90777e6e08 in _ZdlPv /builds/slave/try-lnx64/build/../../../dist/include/mozilla/mozalloc.h:224
previously allocated by thread T0 here:
    #0 0x4337f0 in __interceptor_malloc ??:0
    #1 0x7f907e0b5228 in moz_xmalloc /builds/slave/try-lnx64/build/memory/mozalloc/mozalloc.cpp:54
    #2 0x7f9076eda7aa in _ZN21nsCSSFrameConstructor19InitAndRestoreFrameERK23nsFrameConstructorStateP10nsIContentP8nsIFrameS6_S6_b /builds/slave/try-lnx64/build/layout/base/nsCSSFrameConstructor.cpp:4506
    #3 0x7f9076ee1f4c in _ZN21nsCSSFrameConstructor23ConstructFramesFromItemER23nsFrameConstructorStateRNS_25FrameConstructionItemList8IteratorEP8nsIFrameR12nsFrameItems /builds/slave/try-lnx64/build/layout/base/nsCSSFrameConstructor.cpp:5506
Shadow byte and word:
  0x1ff2017fa031: fd
  0x1ff2017fa030: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff2017fa010: fd fd fd fd fd fd fd fd
  0x1ff2017fa018: fd fd fd fd fd fd fd fd
  0x1ff2017fa020: fa fa fa fa fa fa fa fa
  0x1ff2017fa028: fa fa fa fa fa fa fa fa
=>0x1ff2017fa030: fd fd fd fd fd fd fd fd
  0x1ff2017fa038: fd fd fd fd fd fd fd fd
  0x1ff2017fa040: fa fa fa fa fa fa fa fa
  0x1ff2017fa048: fa fa fa fa fa fa fa fa
  0x1ff2017fa050: fd fd fd fd fd fd fd fd
Stats: 763M malloced (935M for red zones) by 2315206 calls
Stats: 91M realloced by 137427 calls
Stats: 715M freed by 2121167 calls
Stats: 602M really freed by 1735359 calls
Stats: 820M (210041 full pages) mmaped in 204 calls
  mmaps   by size class: 8:737235; 9:147438; 10:32760; 11:24564; 12:6144; 13:3584; 14:2048; 15:1792; 16:1216; 17:1280; 18:48; 19:64; 20:28; 21:10; 22:3; 23:1;
  mallocs by size class: 8:1787993; 9:339499; 10:89657; 11:61196; 12:13384; 13:10402; 14:5231; 15:2703; 16:2718; 17:2221; 18:60; 19:81; 20:47; 21:10; 22:3; 23:1;
  frees   by size class: 8:1625836; 9:321315; 10:83377; 11:57123; 12:11731; 13:9386; 14:4920; 15:2569; 16:2530; 17:2204; 18:50; 19:68; 20:46; 21:8; 22:3; 23:1;
  rfrees  by size class: 8:1330385; 9:262065; 10:68831; 11:45742; 12:10394; 13:7007; 14:4565; 15:2309; 16:2006; 17:1904; 18:43; 19:64; 20:32; 21:8; 22:3; 23:1;
Stats: malloc large: 2424 small slow: 10417
==20176== ABORTING
Comment 2 Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2013-01-16 11:35:14 PST
Matt can you find a regression range for this?
Comment 3 Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2013-01-16 11:39:36 PST
Created attachment 702947 [details] [diff] [review]
Patch

So, the immediate problem here is that an nsImageLoadingContent observer causes an attribute mutation, which fires a mutation event, which lets script synchronously mess with the observer list.  This attribute mutation was added in Bug 756419.  What I don't understand is why this only recently started crashing (it doesn't crash Aurora, for instance).

Regardless, the attached patch adds a script blocker and makes us happy.
Comment 4 Boris Zbarsky [:bz] 2013-01-16 11:44:48 PST
Comment on attachment 702947 [details] [diff] [review]
Patch

r=me
Comment 5 Alice0775 White 2013-01-16 14:45:03 PST
I can reproduce the crash in Firefox esr17, 18, 19beta, Aurora20.0a2 and Nightly21.0a1.

bp-d61d7c66-e347-4890-bac7-b821d2130116
http://hg.mozilla.org/releases/mozilla-esr17/rev/023401f37090
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0 ID:20130107124423
bp-9bbc3ac5-59c4-46e3-818e-03d262130116
http://hg.mozilla.org/releases/mozilla-release/rev/8efe34fa2289
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 ID:20130104151925
bp-1e48dbec-06f8-4af9-9c1b-bb68b2130116
http://hg.mozilla.org/releases/mozilla-beta/rev/222e6877be4b
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 ID:20130109111322
bp-99657006-3b7b-47db-9ea8-6a6002130116
http://hg.mozilla.org/releases/mozilla-aurora/rev/3f9116d9a244
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20130116 Firefox/20.0 ID:20130116042017
bp-3d958d17-6fe0-4129-bd3a-de7f02130116
http://hg.mozilla.org/mozilla-central/rev/d8be4bc4fba8
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130116 Firefox/21.0 ID:20130116031003
Comment 6 Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2013-01-16 14:55:48 PST
Ok, that makes more sense, and I think we can blame it on Bug 756419 then.

I was unable to get a crash on non-trunk branches, but I was using opt instead of debug there.
Comment 7 Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2013-01-17 05:20:52 PST
Comment on attachment 702947 [details] [diff] [review]
Patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Moderately difficult.  A motivated observer could audit all of the things that observe nsImageLoadingContent to see which are likely to trigger content script execution, and from there figure out how to mess up the observer list.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

N/A

Which older supported branches are affected by this flaw?

All supported branches.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

This backports to Aurora cleanly, Beta with trivial modifications, ESR 17 with slightly less trivial modifications.

How likely is this patch to cause regressions; how much testing does it need?

This patch is unlikely to cause regressions and needs limited testing.
Comment 8 Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2013-01-18 09:51:01 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/2265cb7faaae
Comment 9 Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2013-01-18 09:53:02 PST
Comment on attachment 702947 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 756419
User impact if declined: Exploitable security bug
Testing completed: Tested manually, on try, on m-c.
Risk to taking this patch (and alternatives if risky): Low risk
String or UUID changes made by this patch: None
Comment 10 Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2013-01-19 10:37:44 PST
https://hg.mozilla.org/mozilla-central/rev/2265cb7faaae
Comment 11 Alex Keybl [:akeybl] 2013-01-22 06:39:43 PST
Comment on attachment 702947 [details] [diff] [review]
Patch

Let's land this low risk sg:crit fix on all branches other than B2G. We'll let you know when this is ready to land for B2G.
Comment 13 Lukas Blakk [:lsblakk] use ?needinfo 2013-01-22 12:51:01 PST
Since this isn't on b2g18 yet, we'll track for v1.0.1 and approve after 1/25 when mozilla-b2g18 is open for landings.  See https://wiki.mozilla.org/Release_Management/B2G_Landing  for more info.
Comment 14 Matt Wobensmith [:mwobensmith][:matt:] 2013-01-24 14:05:37 PST
Confirmed crash 2013-01-15, m-c 
Verified fixed 2013-01-24, m-c 
Verified fixed 2013-01-24, Aurora
Verified fixed 2013-01-24, beta
Verified fixed 2013-01-24, 17.0.2esr
Comment 16 Alex Keybl [:akeybl] 2013-01-31 17:00:15 PST
Comment on attachment 702947 [details] [diff] [review]
Patch

This can now be landed mozilla-b2g18, which is currently v1.0.1.
Comment 17 Ryan VanderMeulen [:RyanVM] 2013-02-01 06:41:27 PST
Kyle, I'm guessing that what landed on esr17 is the closest to what needs to land on b2g18?
Comment 18 Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2013-02-02 02:23:16 PST
https://hg.mozilla.org/releases/mozilla-b2g18/rev/7b9885451650
Comment 19 Alex Keybl [:akeybl] 2013-04-02 14:58:42 PDT
Since Firefox 20 is now released, v1.0.1 branches are still open, and this is considered low risk, we can uplift to v1.0.1. Marking as tef+ and flipping status-b2g18-v1.0.1 to affected.
Comment 20 Ryan VanderMeulen [:RyanVM] 2013-05-06 07:01:18 PDT
This landed prior to v1.0.1 branching off.

Note You need to log in before you can comment on or make changes to this bug.