Closed Bug 833604 Opened 12 years ago Closed 12 years ago

UAF with transform and fixed position

Categories

(Core :: Layout: Block and Inline, defect)

Product:
Core
Component:
Layout: Block and Inline
Version:
21 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 830192
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- fixed
firefox21 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: nils, Assigned: nils)

Details

(6 keywords, Whiteboard: [asan][sg:dupe 830192])

Attachments

(2 files)

crash.html (crashes firefox)
546 bytes, text/html
Details
exploitable.html (crashes firefox)
590 bytes, text/plain
Details
The attached testcase (crash.html) crashes the latest nightly on a poison value as the result of a use-after-free condition. The stack backtrace on linux: Program received signal SIGSEGV, Segmentation fault. 0x00007f1f1c1ac39b in nsGenericHTMLElement::GetOffsetRect(nsRect&) () from /home/fred/nightly/firefox/libxul.so (gdb) info reg rax 0x7ffffffff0dea7ff 9223372036600932351 rbx 0x7f1ef6b61268 139770964873832 rcx 0xf 15 rdx 0x7f1f1e3ece90 139771628146320 rsi 0x1 1 rdi 0x7f1ef2cdfbd0 139770899332048 rbp 0x7fff7c29c530 0x7fff7c29c530 rsp 0x7fff7c29c470 0x7fff7c29c470 r8 0x7f1ef801d520 139770986616096 r9 0x7f1f1e3ed650 139771628148304 r10 0x7fff7c29c460 140735276500064 r11 0x7f1ef65df000 139770959097856 r12 0x7f1f08802130 139771263328560 r13 0x7fff7c29c540 140735276500288 r14 0x7f1ef2cdfbd0 139770899332048 r15 0x7f1ef7e86800 139770984949760 rip 0x7f1f1c1ac39b 0x7f1f1c1ac39b <nsGenericHTMLElement::GetOffsetRect(nsRect&)+95> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) bt 20 #0 0x00007f1f1c1ac39b in nsGenericHTMLElement::GetOffsetRect(nsRect&) () from /home/fred/nightly/firefox/libxul.so #1 0x00007f1f1c66f751 in mozilla::dom::HTMLElementBinding::get_offsetHeight(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JS::Value*) () from /home/fred/nightly/firefox/libxul.so #2 0x00007f1f1c671297 in mozilla::dom::HTMLElementBinding::genericGetter(JSContext*, unsigned int, JS::Value*) () from /home/fred/nightly/firefox/libxul.so #3 0x00007f1f1d42d2c1 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) () from /home/fred/nightly/firefox/libxul.so #4 0x00007f1f1d42dae4 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) () from /home/fred/nightly/firefox/libxul.so #5 0x00007f1f1d42dc5f in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) () from /home/fred/nightly/firefox/libxul.so #6 0x00007f1f1d43f716 in js::GetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>) () from /home/fred/nightly/firefox/libxul.so #7 0x00007f1f1d42494e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) () from /home/fred/nightly/firefox/libxul.so #8 0x00007f1f1d42cea7 in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) () from /home/fred/nightly/firefox/libxul.so #9 0x00007f1f1d42d063 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) () from /home/fred/nightly/firefox/libxul.so #10 0x00007f1f1d43027f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) () from /home/fred/nightly/firefox/libxul.so #11 0x00007f1f1d3db331 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) () from /home/fred/nightly/firefox/libxul.so #12 0x00007f1f1cf38621 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject&, JS::CompileOptions&, bool, JS::Value*) () from /home/fred/nightly/firefox/libxul.so #13 0x00007f1f1cf47d48 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) () from /home/fred/nightly/firefox/libxul.so #14 0x00007f1f1cf48077 in nsGlobalWindow::RunTimeout(nsTimeout*) () from /home/fred/nightly/firefox/libxul.so #15 0x00007f1f1cf4822e in nsGlobalWindow::TimerCallback(nsITimer*, void*) () from /home/fred/nightly/firefox/libxul.so #16 0x00007f1f1d27b966 in nsTimerImpl::Fire() () from /home/fred/nightly/firefox/libxul.so #17 0x00007f1f1d27ba45 in nsTimerEvent::Run() () from /home/fred/nightly/firefox/libxul.so #18 0x00007f1f1d278492 in nsThread::ProcessNextEvent(bool, bool*) () from /home/fred/nightly/firefox/libxul.so #19 0x00007f1f1d25189c in NS_ProcessNextEvent_P(nsIThread*, bool) () from /home/fred/nightly/firefox/libxul.so
A minor change to the testcase result in crashes in the garbage collector which look a lot more scary. See attached exploitable.html. Just a wild guess as to why this happens: In the second testcase offsetHeight is retrieved from o0 instead of o11. o0 is the parent element of o11 and the retrieval of the offsetHeight attribute leads to a wider re-layouting of the page. This might lead to an allocation of a new object into the location of the freed object which then in turn leads to multiple references to properties of this object which are not protected by the PresArena protections. Would that make sense? Stack-backtrace on Linux: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff3a1ff25 in nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&) () from /home/fred/nightly/firefox/libxul.so (gdb) info reg rax 0x78004900000001 33777310737891329 rbx 0x7fffe97ca150 140737110647120 rcx 0x45501f6f 1162878831 rdx 0x7ffff4402c74 140737291234420 rsi 0xb 11 rdi 0x7fffffffca80 140737488341632 rbp 0x7fffffffca40 0x7fffffffca40 rsp 0x7fffffffca20 0x7fffffffca20 r8 0xaecc30a7 2932617383 r9 0x7fffffffca40 140737488341568 r10 0x44815f7a 1149329274 r11 0xaa7e5e96 2860408470 r12 0x7fffffffca80 140737488341632 r13 0x7fffdf66ba60 140736941439584 r14 0x7ffff50fc0e0 140737304838368 r15 0x7ffff50fbf10 140737304837904 rip 0x7ffff3a1ff25 0x7ffff3a1ff25 <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+85> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) x/10i $rip => 0x7ffff3a1ff25 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+85>: mov 0x1bc(%rax),%eax 0x7ffff3a1ff2b <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+91>: test %eax,%eax 0x7ffff3a1ff2d <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+93>: je 0x7ffff3a1ff4d <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+125> 0x7ffff3a1ff2f <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+95>: cmp 0x19c5e3b(%rip),%eax # 0x7ffff53e5d70 <_ZN23nsCCUncollectableMarker11sGenerationE> 0x7ffff3a1ff35 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+101>: jne 0x7ffff3a1ff4d <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+125> 0x7ffff3a1ff37 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+103>: testb $0x2,0x8(%r12) 0x7ffff3a1ff3d <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+109>: mov $0x460002,%eax 0x7ffff3a1ff42 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+114>: jne 0x7ffff3a1ff4d <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+125> 0x7ffff3a1ff44 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+116>: pop %r13 0x7ffff3a1ff46 <_ZN16nsFrameSelection15cycleCollection12TraverseImplEPS0_PvR34nsCycleCollectionTraversalCallback+118>: pop %rbx (gdb) bt 30 #0 0x00007ffff3a1ff25 in nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&) () from /home/fred/nightly/firefox/libxul.so #1 0x00007ffff3f80aa2 in nsPurpleBuffer::RemoveSkippable(bool) () from /home/fred/nightly/firefox/libxul.so #2 0x00007ffff3f82574 in nsCycleCollector::ForgetSkippable(bool) () from /home/fred/nightly/firefox/libxul.so #3 0x00007ffff3f84749 in nsCycleCollector_forgetSkippable(bool) () from /home/fred/nightly/firefox/libxul.so #4 0x00007ffff3c33128 in FireForgetSkippable(unsigned int, bool) () from /home/fred/nightly/firefox/libxul.so #5 0x00007ffff3c37ba3 in CCTimerFired(nsITimer*, void*) () from /home/fred/nightly/firefox/libxul.so #6 0x00007ffff3f7b966 in nsTimerImpl::Fire() () from /home/fred/nightly/firefox/libxul.so #7 0x00007ffff3f7ba45 in nsTimerEvent::Run() () from /home/fred/nightly/firefox/libxul.so #8 0x00007ffff3f78492 in nsThread::ProcessNextEvent(bool, bool*) () from /home/fred/nightly/firefox/libxul.so #9 0x00007ffff3f5189c in NS_ProcessNextEvent_P(nsIThread*, bool) () from /home/fred/nightly/firefox/libxul.so #10 0x00007ffff3edff91 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () from /home/fred/nightly/firefox/libxul.so #11 0x00007ffff3f99ec3 in MessageLoop::Run() () from /home/fred/nightly/firefox/libxul.so #12 0x00007ffff31f2d94 in nsBaseAppShell::Run() () from /home/fred/nightly/firefox/libxul.so #13 0x00007ffff3126e4a in nsAppStartup::Run() () from /home/fred/nightly/firefox/libxul.so #14 0x00007ffff38acd6b in XREMain::XRE_mainRun() () from /home/fred/nightly/firefox/libxul.so #15 0x00007ffff2c7e2fc in XREMain::XRE_main(int, char**, nsXREAppData const*) () from /home/fred/nightly/firefox/libxul.so #16 0x00007ffff2c7e48f in XRE_main () from /home/fred/nightly/firefox/libxul.so #17 0x000000000040772b in do_main(int, char**, nsIFile*) () #18 0x00000000004079ec in main ()
Attachment #705142 - Attachment mime type: text/plain → text/html
(In reply to Nils from comment #1) > A minor change to the testcase result in crashes in the garbage collector Cycle collector ;) But that anyhow looks different bug. Reminds a lot like bug 816359.
Both tests crashes my Linux64 debug build. Applying the fix in bug 830192 fixed it. (patch hasn't landed yet)
Status: NEW → RESOLVED
Closed: 12 years ago
Component: DOM → Layout: Block and Inline
Flags: in-testsuite?
Keywords: crash, testcase
Resolution: --- → DUPLICATE
Whiteboard: [asan]
Group: core-security
status-b2g18: --- → unaffected
status-firefox19: --- → unaffected
status-firefox20: --- → fixed
status-firefox21: --- → fixed
status-firefox-esr17: --- → unaffected
Keywords: csec-uaf
Whiteboard: [asan] → [asan][sg:dupe 830192]
Flags: sec-bounty-
Crash test: https://hg.mozilla.org/integration/mozilla-inbound/rev/040664610813
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: