UAF with transform and fixed position




6 years ago
4 years ago


(Reporter: nils, Assigned: nils)


(5 keywords)

21 Branch
crash, csectype-framepoisoning, csectype-uaf, sec-critical, testcase
Bug Flags:
sec-bounty -
in-testsuite +

Firefox Tracking Flags

(firefox19 unaffected, firefox20 fixed, firefox21 fixed, firefox-esr17 unaffected, b2g18 unaffected)


(Whiteboard: [asan][sg:dupe 830192])


(2 attachments)



6 years ago
Created attachment 705142 [details]
crash.html (crashes firefox)

The attached testcase (crash.html) crashes the latest nightly on a poison value as the result of a use-after-free condition.

The stack backtrace on linux:

Program received signal SIGSEGV, Segmentation fault.
0x00007f1f1c1ac39b in nsGenericHTMLElement::GetOffsetRect(nsRect&) () from /home/fred/nightly/firefox/
(gdb) info reg
rax            0x7ffffffff0dea7ff	9223372036600932351
rbx            0x7f1ef6b61268	139770964873832
rcx            0xf	15
rdx            0x7f1f1e3ece90	139771628146320
rsi            0x1	1
rdi            0x7f1ef2cdfbd0	139770899332048
rbp            0x7fff7c29c530	0x7fff7c29c530
rsp            0x7fff7c29c470	0x7fff7c29c470
r8             0x7f1ef801d520	139770986616096
r9             0x7f1f1e3ed650	139771628148304
r10            0x7fff7c29c460	140735276500064
r11            0x7f1ef65df000	139770959097856
r12            0x7f1f08802130	139771263328560
r13            0x7fff7c29c540	140735276500288
r14            0x7f1ef2cdfbd0	139770899332048
r15            0x7f1ef7e86800	139770984949760
rip            0x7f1f1c1ac39b	0x7f1f1c1ac39b <nsGenericHTMLElement::GetOffsetRect(nsRect&)+95>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) bt 20
#0  0x00007f1f1c1ac39b in nsGenericHTMLElement::GetOffsetRect(nsRect&) () from /home/fred/nightly/firefox/
#1  0x00007f1f1c66f751 in mozilla::dom::HTMLElementBinding::get_offsetHeight(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JS::Value*) ()
   from /home/fred/nightly/firefox/
#2  0x00007f1f1c671297 in mozilla::dom::HTMLElementBinding::genericGetter(JSContext*, unsigned int, JS::Value*) () from /home/fred/nightly/firefox/
#3  0x00007f1f1d42d2c1 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) () from /home/fred/nightly/firefox/
#4  0x00007f1f1d42dae4 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) () from /home/fred/nightly/firefox/
#5  0x00007f1f1d42dc5f in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) () from /home/fred/nightly/firefox/
#6  0x00007f1f1d43f716 in js::GetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>) ()
   from /home/fred/nightly/firefox/
#7  0x00007f1f1d42494e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) () from /home/fred/nightly/firefox/
#8  0x00007f1f1d42cea7 in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) () from /home/fred/nightly/firefox/
#9  0x00007f1f1d42d063 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) ()
   from /home/fred/nightly/firefox/
#10 0x00007f1f1d43027f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) () from /home/fred/nightly/firefox/
#11 0x00007f1f1d3db331 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) ()
   from /home/fred/nightly/firefox/
#12 0x00007f1f1cf38621 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject&, JS::CompileOptions&, bool, JS::Value*) () from /home/fred/nightly/firefox/
#13 0x00007f1f1cf47d48 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) () from /home/fred/nightly/firefox/
#14 0x00007f1f1cf48077 in nsGlobalWindow::RunTimeout(nsTimeout*) () from /home/fred/nightly/firefox/
#15 0x00007f1f1cf4822e in nsGlobalWindow::TimerCallback(nsITimer*, void*) () from /home/fred/nightly/firefox/
#16 0x00007f1f1d27b966 in nsTimerImpl::Fire() () from /home/fred/nightly/firefox/
#17 0x00007f1f1d27ba45 in nsTimerEvent::Run() () from /home/fred/nightly/firefox/
#18 0x00007f1f1d278492 in nsThread::ProcessNextEvent(bool, bool*) () from /home/fred/nightly/firefox/
#19 0x00007f1f1d25189c in NS_ProcessNextEvent_P(nsIThread*, bool) () from /home/fred/nightly/firefox/

Comment 1

6 years ago
A minor change to the testcase result in crashes in the garbage collector which look a lot more scary. See attached exploitable.html.

Just a wild guess as to why this happens: In the second testcase offsetHeight is retrieved from o0 instead of o11. o0 is the parent element of o11 and the retrieval of the offsetHeight attribute leads to a wider re-layouting of the page. This might lead to an allocation of a new object into the location of the freed object which then in turn leads to multiple references to properties of this object which are not protected by the PresArena protections. Would that make sense?

Stack-backtrace on Linux:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3a1ff25 in nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&) ()
   from /home/fred/nightly/firefox/
(gdb) info reg
rax            0x78004900000001	33777310737891329
rbx            0x7fffe97ca150	140737110647120
rcx            0x45501f6f	1162878831
rdx            0x7ffff4402c74	140737291234420
rsi            0xb	11
rdi            0x7fffffffca80	140737488341632
rbp            0x7fffffffca40	0x7fffffffca40
rsp            0x7fffffffca20	0x7fffffffca20
r8             0xaecc30a7	2932617383
r9             0x7fffffffca40	140737488341568
r10            0x44815f7a	1149329274
r11            0xaa7e5e96	2860408470
r12            0x7fffffffca80	140737488341632
r13            0x7fffdf66ba60	140736941439584
r14            0x7ffff50fc0e0	140737304838368
r15            0x7ffff50fbf10	140737304837904
rip            0x7ffff3a1ff25	0x7ffff3a1ff25 <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+85>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) x/10i $rip
=> 0x7ffff3a1ff25 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+85>:	mov    0x1bc(%rax),%eax
   0x7ffff3a1ff2b <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+91>:	test   %eax,%eax
   0x7ffff3a1ff2d <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+93>:	
    je     0x7ffff3a1ff4d <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+125>
   0x7ffff3a1ff2f <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+95>:	
    cmp    0x19c5e3b(%rip),%eax        # 0x7ffff53e5d70 <_ZN23nsCCUncollectableMarker11sGenerationE>
   0x7ffff3a1ff35 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+101>:	
    jne    0x7ffff3a1ff4d <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+125>
   0x7ffff3a1ff37 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+103>:	testb  $0x2,0x8(%r12)
   0x7ffff3a1ff3d <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+109>:	mov    $0x460002,%eax
   0x7ffff3a1ff42 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+114>:	
    jne    0x7ffff3a1ff4d <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+125>
   0x7ffff3a1ff44 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+116>:	pop    %r13
   0x7ffff3a1ff46 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+118>:	pop    %rbx
(gdb) bt 30
#0  0x00007ffff3a1ff25 in nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&) ()
   from /home/fred/nightly/firefox/
#1  0x00007ffff3f80aa2 in nsPurpleBuffer::RemoveSkippable(bool) () from /home/fred/nightly/firefox/
#2  0x00007ffff3f82574 in nsCycleCollector::ForgetSkippable(bool) () from /home/fred/nightly/firefox/
#3  0x00007ffff3f84749 in nsCycleCollector_forgetSkippable(bool) () from /home/fred/nightly/firefox/
#4  0x00007ffff3c33128 in FireForgetSkippable(unsigned int, bool) () from /home/fred/nightly/firefox/
#5  0x00007ffff3c37ba3 in CCTimerFired(nsITimer*, void*) () from /home/fred/nightly/firefox/
#6  0x00007ffff3f7b966 in nsTimerImpl::Fire() () from /home/fred/nightly/firefox/
#7  0x00007ffff3f7ba45 in nsTimerEvent::Run() () from /home/fred/nightly/firefox/
#8  0x00007ffff3f78492 in nsThread::ProcessNextEvent(bool, bool*) () from /home/fred/nightly/firefox/
#9  0x00007ffff3f5189c in NS_ProcessNextEvent_P(nsIThread*, bool) () from /home/fred/nightly/firefox/
#10 0x00007ffff3edff91 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () from /home/fred/nightly/firefox/
#11 0x00007ffff3f99ec3 in MessageLoop::Run() () from /home/fred/nightly/firefox/
#12 0x00007ffff31f2d94 in nsBaseAppShell::Run() () from /home/fred/nightly/firefox/
#13 0x00007ffff3126e4a in nsAppStartup::Run() () from /home/fred/nightly/firefox/
#14 0x00007ffff38acd6b in XREMain::XRE_mainRun() () from /home/fred/nightly/firefox/
#15 0x00007ffff2c7e2fc in XREMain::XRE_main(int, char**, nsXREAppData const*) () from /home/fred/nightly/firefox/
#16 0x00007ffff2c7e48f in XRE_main () from /home/fred/nightly/firefox/
#17 0x000000000040772b in do_main(int, char**, nsIFile*) ()
#18 0x00000000004079ec in main ()

Comment 2

6 years ago
Created attachment 705146 [details]
exploitable.html (crashes firefox)


6 years ago
Attachment #705142 - Attachment mime type: text/plain → text/html

Comment 3

6 years ago
(In reply to Nils from comment #1)
> A minor change to the testcase result in crashes in the garbage collector
Cycle collector ;)

But that anyhow looks different bug. Reminds a lot like bug 816359.
Both tests crashes my Linux64 debug build.  Applying the fix in bug 830192 fixed it.
(patch hasn't landed yet)
Last Resolved: 6 years ago
Component: DOM → Layout: Block and Inline
Flags: in-testsuite?
Keywords: crash, testcase
Resolution: --- → DUPLICATE
Whiteboard: [asan]
Duplicate of bug: 830192
Group: core-security
status-b2g18: --- → unaffected
status-firefox19: --- → unaffected
status-firefox20: --- → fixed
status-firefox21: --- → fixed
status-firefox-esr17: --- → unaffected
Keywords: csec-uaf
Whiteboard: [asan] → [asan][sg:dupe 830192]
Keywords: sec-critical
Flags: sec-bounty-
Keywords: csec-framepoisoning
Crash test:
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.